tl;dr;

Browsers doesn’t handle webcam permissions well enough. Users should be extremely wary about what’s going on in their browser. From a list of 30 bugs submitted to google regarding that issue, most have been fixed, but some are still alive.

The most obvious bug which is still live and kicking in all of the browsers is PopJacking which is – clickjacking using popups. This flaw can be abused to trick users into allowing malicious access to their webcam, for example.

Video of the 5 POCs is here

Full text

More than a year ago (6.6.2014) I submitted a list of ~30 security bugs regarding the way Chrome handle WebCam access . These bugs were also regarding the way Chrome handled almost all other kind of special permissions. From webcam/mic access to location.

Some of these were related to bugs and bad implementation of popups and abusing it in relation to webcam access.

Yesterday Google made my bug report public so I figured it’s about time I’d share my findings (all of these links and info were private until now):

This is the original post I privately sent to Google, it has the info

A video with 5 different POCs

The POC and source code

The bug thread on google

While Google fixed most of these bugs some of these are still unfixed. But, even these who were fixed are not fixed good enough and are still vulnerable to PopJacking. Meaning, an attacker can still trick a user to allow webcam access – pretty easily.

PopJacking is merely clickjacking using a popup – probably the most overlooked flaw in browsers since clickjacking.

Another side note here is about Google behaviour regarding this bug:

At first they seemed thrilled about it, but than it took them almost a year to fix most of it. Only to eventually declare it as “Wontfix”.

One of the bug I submitted was opened as a different private bug but, anyone can easily figure which one it is from the conversation in the currently opened bug thread.

From the way Google dealt with this bug and some other security bugs myself and others have submitted, it’s clear that Google will greatly prefer to dismiss security bugs as “Wontfix” or “not a bug”. Anything other the RCE or XSS will have difficulty to fit in.

I’m pretty sure that something like Clickjacking would have been immediately dismissed, only to realise afterwards the mistake that has been done.

More on that with some examples in a latter post.

So are we safe now?

– No.

It’s still too damn easy to trick a user to allow something like webcam access, and that’s valid to other browsers not just Chrome. Be extremely wary of where you click and what’s going on in your browser at all times. The indication that a website is accessing your camera is not clear enough – you gotta be wary. (FireFox indication is much better, btw)

Beside the specific security bugs in popups and the way it can be exploited for PopJacking.

I would argue that there is not even one legitimate use of browser popups in term of user-experience.

Browser vendors should just kill popups all together, forever.