EPIC.org has an interesting post on their blog that I hadn't seen before on the Vulnerabilities Equities Process
It's particularly timely with the recent "Wannacry" ransomware that appeared to use government leaked code that may not have been reported to the Microsoft
Question from the VEP - Is it the job of the intelligence community to find and report bugs? Are the bug hunters at the IC that much better at programming than Microsoft? Maybe the IC should share their bug hunting techniques? How about people not buying buggy software?
Wednesday, May 31, 2017
Google Chrome "feature" allows recording audio and video without indicator
Slashdot writes about it here - Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator
"Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator," reports BleepingComputer. "The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge. The bug's central element is a 'red circle and dot' icon that Chrome usually shows when recording audio or video streams." Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn't expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn't close the popup, the popup continues to stream audio and video from the victim's house. Google declined to consider this a security bug.
Google bug site at first treats it as a feature not a bug,
Comment 1 by dominickn@chromium.org, Apr 10
Components: UI>Browser>Permissions>Indicators Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Team-Security-UX OS-Chrome OS-Linux OS-Mac OS-Windows Type-Bug Status: Available Thanks for the report. This isn't really a security vulnerability - for example,
WebRTC on a mobile device shows no indicator at all in the browser.
but I expect they'll come around quicklyThe dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation. I'll put this in our general permissions indicator pool.
Subscribe to:
Comments (Atom)
