Bug in Google Chrome lets sites access your webcam and secretly record you


A bug in Google Chrome could let hackers take over your webcam and secretly record you, it has been claimed.

The bug in Chrome was discovered by developer Ran Bar-Zik who says that sites can exploit the bug to secretly record audio and video via a webcam without the user’s knowledge.

The issue is made possible by the fact that Chrome relies on something called Web Real-Time Communications, known as WebRTC, protocols that make video and audio calls possible from within the popular web browser.

To help keep users safe, web browsers will check that a particular website has permission to use WebRTC in order access the webcam or microphone on your computer.

Once you grant permission, the site will then always be able access your webcam or microphone each time you request it.

This is the reason why you don’t grant permission to Facebook or Skype each time you make a video call.

While this is convenient, it could in theory allow any site you previously granted permission to to access your webcam and microphone.

So that users are aware Chrome uses an icon to indicate when audio or video is being recorded when using sites such as YouTube, Hangouts or live streaming to your TV. For example a red dot is displayed in the corner of a tab to tell you audio or video is being recorded.

Image: Hacker News

Image: Hacker News

However, Ran Bar-Zik claims that if an authorised website displays a headless pop up window then the record icon will not be displayed because Chrome hasn’t been designed to display the red dot in headless windows.

Bar-Zik said he first reported the bug to Google in April but the tech giant didn’t consider it to be a big enough issue to roll out an urgent security update, the Hacker News reported.

However, Google has said it will fix the problem and “improve the situation” in future security updates.

In response Google said: “This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.”
In order to stay safe, it is possible to disable WebRTC, but then that means you won’t be able to use video calling on sites such as Facebook.

Of course perhaps the easiest way to avoid being spied on via your webcam is to follow the examples of Facebook CEO Mark Zuckerberg and former FBI chief James Comey, who have both admitted to covering their webcams with tape.


Mark Zuckerberg


Comments are closed.