ever get that feeling you ‘re being watched ? If you ‘ve presently got the Screencastify Chrome extension active voice, you could be. A defect the company claimed was ‘fixed ‘ may still allow malicious actors to access unsuspecting users ‘ webcam and background action, and record it for whatever they see fit. You ‘ve probably seen these ‘sextortion ‘ emails : “ We have a record of you doing X, Y, Z. Send us $ 10,000 in some obscure cryptocurrency or we ‘ll release the vid for all the earth to see. ”
Reading: ‘Fixed’ Chrome extension flaw could allow hackers to record both your webcam and desktop feeds
With over 10,000,000 installs, Screencastify caters to a range of companies such as Webflow, Teachable, Atlassian, Netlifyrunning, Marketo, and ZenDesk. It ‘s an annex that lets users record, edit and take video contented for influence and school projects, so exploiter include teachers, and schoolchildren at diverse stages of their department of education. I can entirely imagine the panic from parents when the vulnerability was discovered, and their likely fury knowing it hush has n’t been properly fixed. According to Bleeping Computer ( opens in raw check ), a cross-site script ( XSS ) vulnerability in the Screencastify software was reported by security research worker Wladimir Palant on February 14, 2022. Devs behind the Chrome extension promptly sent out a suppose pay back, but Palant has made it clear the app is still putting users in a vulnerable side for exploitation, and extortion. On installing Screencastify, it asks to access your Google Drive and makes a permanent Google OAuth access token for the company ‘s account. The cloud folders created with the keepsake, in which all the users video projects are saved, are allegedly lease unhidden.
Chrome ‘s desktopCapture API and tabCapture permissions are besides granted automatically when you install the software, meaning it has the ability to record your background excessively. On top of this, the software’s WebRTC API permission is alone requested once, meaning the capture functions are endlessly enabled from the drive go, unless you switch the mount to ‘ask permission ‘ each time. even then, Palant found that hackers could not lone steal the authentication token, but besides use the Screencastify app to record without notifying the user at all. “ not a lot appears to have changed here, and I could verify that it is still potential to start a webcam recording without any ocular clues, ” Palant explains in their research blog mail ( opens in new tab ). “ The problem was located in the erroneousness page displayed if you already submitted a video to a challenge and were trying to submit another one. ” And since the error page has a sterilize savoir-faire, “ it can be opened immediately preferably than triggering the error condition. ” Both Bleeping Computer and Palant have contacted Screencastify, but to no avail. here ‘s a quick glance over the Screencastify privacy policy :
Read more: A Few Thoughts on Cryptographic Engineering
“ We use security and engineering measures consistent with diligence standards to try to protect your information and make certain that it is not lost, damaged or accessed by anyone who should not see it. ” “ Despite our security measures, we can not guarantee the absolute security of your personal information. ” hera ‘s hoping the vulnerability is sorted by rights, and soon, before rogue employees or hackers start making use of the feat. Best to use a different chopine for the time being, possibly .