The Google Chrome browser first became popular in 2008 thanks to its reliability on aspects such as speed and security, and its stable interface. Chrome is now famously known as one of the safest browsers available on the market. However, it turns out sometimes, hackers don’t need to dig very deep in order to find ways to attack online users. It appears Google Chrome users could be the target of what is considered by some as an important security issue.
Some would think such a flaw would be hugely worrying to Google, and users have proved very concerned. But opinion on the matter varies widely: Google doesn’t consider it a valid threat to the online security of its users, and has confirmed it will not rush in the making of a security patch to fix what it doesn’t deem a problem.
A spokesperson for Google emphasized on the fact that “many browsers still support plugins which access camera/mic in ways that aren’t clear to users, or that even the browser can’t detect. Chrome doesn’t, and hasn’t for a while. In other words, the signals we show are more useful/transparent than other browsers.” A developer who works on the Chromium source code (the one that powers Chrome) also declared that “this isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser”.
But how does this flaw work exactly, and how can you keep preying eyes from turning on your webcam without your knowledge to snoop on what you’re doing?
The issue arises from Chrome’s reliance on Web RTC (or Web Real-Time Communications) protocols to make and receive audio and video calls directly within the browser, without the use of third party apps or additional plugins. So the first step consists of loading a page that uses Web RTC and prompts Chrome to turn on the user’s camera and microphone in order to start a voice and video chat session. In an effort to protect users’ privacy, permission must be granted to a certain website for it to use WebRTC and use a device’s webcam and microphone. Chrome also displays a small red dot icon on the browser tab whenever audio or video is being recorded. But what most users don’t know is that once permission is granted to a certain website, it will always be allowed by the browser to access the users’ camera and microphone, unless the WebRTC permission is manually revoked. This is meant to be convenient for users, so they don’t have to grant authorization to the same website over and over, but it actually poses the risk for websites to furtively access a device’s webcam and mic at any given time.
However, Bar-Zik discovered that once WebRTC had been allowed in one Chrome tab, a script of his own creation could be ran in a different tab, and thus was able to connect to the video and audio feed. The red dot icon does show briefly in the first tab, but disappears as soon as the new headless tab opens, because Google Chrome can’t currently display this recording symbol on a headless window. Even though a small camera icon does show up then at the end of the address bar of the tab that’s recording the audio and video, it’s a lot more discrete than a blinking red dot icon, and consequently a lot less likely to catch users’ attention.
“This record indication is the last and the most important line of defence.”, said Ran Bar-Zik. Such a flaw basically enables website developers to “exploit small UX manipulation to activate the MediaRecorder API without alerting the users,” he added.
Google has stated it would work on ways to “improve the situation” with future updates of the iconic browser. “The dot is a best-first effort that only works on the desktop when we have Chrome UI space available. That being said, we are looking at ways to improve this situation.”
According to Bleeping Computer, the real problem the users face nowadays is something called UI fatigue. Similarly to the behavior the average user adopts when they use the same passwords on different websites or platforms, they have also grown used to closing pop-up windows, warning messages and the likes without actually making the effort to read them. According to Bar-Zik, that sort of habit can quickly become harmful when using computers or connected devices.
So the “fix” is to read them carefully when those warning boxes show on your screen. It is also preferable not to allow Chrome (or any other browser) to turn on your webcam if you don’t use a browser-based video chat app on a regular basis. Another solution also consists of placing a piece of tape or a sticker on your webcam when you’re not using it, Mark Zuckerberg style.
However, if you are looking for a more concrete and secure solution to insure your safety on the matter, it is possible to regulate or fully disable WebRTC in Chrome with this official plugin.
And lastly, it’s good to remember that TorGuard VPN offers WebRTC IP leak protection to block ban any IP leakage via WebRTC. Wondering if your browser is leaking via WebRTC ? Run the WebRTC Leak Test to ensure your VPN is not leaking.