ever get that feeling you ‘re being watched ? If you ‘ve presently got the Screencastify Chrome extension active voice, you could be. A defect the company claimed was ‘fixed ‘ may still allow malicious actors to access unsuspecting users ‘ webcam and background action, and record it for whatever they see fit. You ‘ve probably seen these ‘sextortion ‘ emails : “ We have a record of you doing X, Y, Z. Send us $ 10,000 in some obscure cryptocurrency or we ‘ll release the vid for all the earth to see. ”
With over 10,000,000 installs, Screencastify caters to a range of companies such as Webflow, Teachable, Atlassian, Netlifyrunning, Marketo, and ZenDesk. It ‘s an annex that lets users record, edit and take video contented for influence and school projects, so exploiter include teachers, and schoolchildren at diverse stages of their department of education. I can entirely imagine the panic from parents when the vulnerability was discovered, and their likely fury knowing it hush has n’t been properly fixed. According to Bleeping Computer ( opens in raw check ), a cross-site script ( XSS ) vulnerability in the Screencastify software was reported by security research worker Wladimir Palant on February 14, 2022. Devs behind the Chrome extension promptly sent out a suppose pay back, but Palant has made it clear the app is still putting users in a vulnerable side for exploitation, and extortion. On installing Screencastify, it asks to access your Google Drive and makes a permanent Google OAuth access token for the company ‘s account. The cloud folders created with the keepsake, in which all the users video projects are saved, are allegedly lease unhidden.
Read more: A Few Thoughts on Cryptographic Engineering
“ We use security and engineering measures consistent with diligence standards to try to protect your information and make certain that it is not lost, damaged or accessed by anyone who should not see it. ” “ Despite our security measures, we can not guarantee the absolute security of your personal information. ” hera ‘s hoping the vulnerability is sorted by rights, and soon, before rogue employees or hackers start making use of the feat. Best to use a different chopine for the time being, possibly .