ContributorsPublishersAdvertisers
Technology

'Fixed' Chrome extension flaw could allow hackers to record both your webcam and desktop feeds

By Katie Wickens
PC Gamer
PC Gamer
 3 days ago

A Screencastify vulnerability that allows monitoring by malicious actors was apparently fixed, but experts says it still has security flaws.

https://img.particlenews.com/image.php?url=1nen1T_0fpicDZe00
(Image credit: D-Keine/Getty)

Ever get that feeling you're being watched? If you've currently got the Screencastify Chrome extension active, you could be. A flaw the company claimed was 'fixed' may still allow malicious actors to access unsuspecting users' webcam and desktop activity, and record it for whatever they see fit.

You've probably seen these 'sextortion' emails: "We have a recording of you doing X, Y, Z. Send us $10,000 in some obscure cryptocurrency or we'll release the vid for all the world to see."

With over 10,000,000 installs, Screencastify caters to a range of companies such as Webflow, Teachable, Atlassian, Netlifyrunning, Marketo, and ZenDesk. It's an extension that lets users record, edit and submit video content for work and school projects, so users include teachers, and schoolchildren at various stages of their education. I can only imagine the panic from parents when the vulnerability was discovered, and their potential fury knowing it still hasn't been properly fixed.

According to Bleeping Computer (opens in new tab), a cross-site scripting (XSS) vulnerability in the Screencastify software was reported by security researcher Wladimir Palant on February 14, 2022. Devs behind the Chrome extension promptly sent out a supposed fix, but Palant has made it clear the app is still putting users in a vulnerable position for exploitation, and extortion.

On installing Screencastify, it asks to access your Google Drive and makes a permanent Google OAuth access token for the company's account. The cloud folders created with the token, in which all the users video projects are saved, are allegedly let unhidden.

Chrome's desktopCapture API and tabCapture permissions are also granted automatically when you install the software, meaning it has the ability to record your desktop too.

On top of this, the software's WebRTC API permission is only requested once, meaning the capture functions are continuously enabled from the get go, unless you switch the setting to 'ask permission' each time. Even then, Palant found that hackers could not only steal the authentication token, but also use the Screencastify app to record without notifying the user at all.

Peak Storage

https://img.particlenews.com/image.php?url=2nW88S_0fpicDZe00

Best SSD for gaming (opens in new tab): the best solid state drives around

Best PCIe 4.0 SSD for gaming (opens in new tab): the next gen has landed

The best NVMe SSD (opens in new tab): this slivers of SSD goodness

Best external hard drives (opens in new tab): expand your horizons

Best external SSDs (opens in new tab): plug in upgrades for gaming laptops and consoles

"Not much appears to have changed here, and I could verify that it is still possible to start a webcam recording without any visual clues," Palant explains in their research blog post (opens in new tab).

"The problem was located in the error page displayed if you already submitted a video to a challenge and were trying to submit another one." And since the error page has a fixed address, "it can be opened directly rather than triggering the error condition."

Both Bleeping Computer and Palant have contacted Screencastify, but to no avail.

Here's a quick glance over the Screencastify privacy policy:

"We use security and technology measures consistent with industry standards to try to protect your information and make sure that it is not lost, damaged or accessed by anyone who should not see it."

"Despite our security measures, we cannot guarantee the absolute security of your personal information."

Here's hoping the vulnerability is sorted properly, and soon, before rogue employees or hackers start making use of the exploit. Best to use a different platform for the time being, perhaps.

https://img.particlenews.com/image.php?url=1EKHXr_0fpicDZe00

Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. She can often be found admiring AI advancements, sighing over semiconductors, or gawping at the latest GPU upgrades. She's been obsessed with computers and graphics since she was small, and took Game Art and Design up to Masters level at uni. Her thirst for absurd Raspberry Pi projects will never be sated, and she will stop at nothing to spread internet safety awareness—down with the hackers.

Comments / 0

Related
CNET

How to Find the Wi-Fi Password of Any Network You've Connected To

Remembering every Wi-Fi password for all networks you've ever logged in to is no easy task. But there's good news: The password should be stored on your laptop, even if it's a school, work or coffee shop network. However, if it doesn't automatically connect to the network next time, you may have to do a little digging to find out what the password is.
COMPUTERS
GeekyGadgets

How to block and hide your number on your Phone

There are times when you want to hide or block your number on your phone when making a call. This is a great way of protecting your privacy and keeping your mobile phone number private. You may want to call a company and enquire about their products and services and...
CELL PHONES
BGR.com

How to see if anyone is secretly logging into your Gmail account

At some point, I started spending far more time in my Gmail account every day than I do in any social media app, the constant influx of messages stacking up at the top of my inbox basically replicating the idea of a News Feed for me (a much more useful one, at that). And, depending on where you work, a Gmail account might be even more essential than that, as it can be a connector to a shared Google calendar or Google Docs arrangement.
INTERNET
IN THIS ARTICLE
#Google Chrome#Webcam#Hackers#Screencastify Chrome#Atlassian#Bleeping Computer
Phone Arena

Another phone scam targets Verizon customers

Here's a warning for Verizon subscribers. Actually, this warning is for everyone with a smartphone, a tablet, and even a smartwatch. Yesterday, this writer received a phone call that was allegedly from Verizon Wireless. Even though we missed the call, thanks to Google Assistant's ability to transcribe messages, we could read the message which said, "Dear Verizon Wireless Customer your account have (sic) been suspended for verification to reactivate your account please press one to speak with a customer service representative.
PUBLIC SAFETY
Motley Fool

3 Stocks That Can Turn $10,000 Into $50,000 by 2025

Nvidia's $1 trillion addressable revenue opportunity could ensure terrific long-term growth. Twilio's elevated levels of revenue growth are here to stay thanks to the cloud communications market. You’re reading a free article with opinions that may differ from The Motley Fool’s Premium Investing Services. Become a Motley Fool member today...
STOCKS
YOU MAY ALSO LIKE
NewsBreak
Intel
NewsBreak
Nvidia
NewsBreak
Technology
NewsBreak
AMD
NewsBreak
Google
The Verge

Hacker accesses a Verizon employee database and tries to ransom the data for $250,000

Verizon is dealing with an incident where a hacker captured a database containing company employee data, including the full names of workers as well as their ID numbers, email addresses, and phone numbers. Motherboard reported that the database is legitimate, as the anonymous hacker contacted them last week, and they were able to verify the data by calling some of the numbers.
PUBLIC SAFETY
The Next Web

DuckDuckGo faces widespread backlash over tracking deal with Microsoft

DuckDuckGo’s reputation for protecting privacy has taken a hit after revelations emerged of a tracking deal with Microsoft. Security researcher Zack Edwards this week revealed that DuckDuckGo’s mobile browsers allow some Microsoft sites to bypass its block on trackers. While the browser blocks Facebook and Google trackers, DuckDuckGo...
BUSINESS
Digital Trends

Best Buy drops the prices of almost all its 82-inch TVs

If you’ve always wanted to upgrade your home theater setup with a massive display, this may be the opportunity that you’ve been waiting for. Best Buy has slashed the prices of almost all the 82-inch TVs that you can purchase from the retailer, so if such a large screen can fit in your living room according to our guide on what size TV to buy, you should take advantage of these discounts while they’re available.
komando.com

Cable companies offering free internet service – See if you qualify

Access to the internet is, for many, a basic necessity. The pandemic has proven a need for stable, high-speed connections so that people can work from home. But it also serves as a vital tool for those looking for employment. Unfortunately, affordable internet access isn’t as widespread as many think....
BUSINESS
The Verge

Report: workers delivering Amazon’s packages are injured at a ‘shocking rate’

Some workers delivering packages for Amazon were more than twice as likely to be injured on the job compared to non-Amazon delivery workers, according to a report from the Strategic Organizing Center (SOC) advocacy group (via CNBC). The union coalition compiled data submitted to the Occupational Safety and Health Administration (OSHA) by Amazon and its contractors and discovered that an estimated 18.3 percent of Amazon’s subcontracted delivery workers were injured seriously enough to be reported.
INDUSTRY
PC Magazine

Need a Second Phone Number? How to Get Started With Google Voice

You likely have one phone number for your mobile phone through which you make and get phone calls, send and receive text messages, and handle other related tasks. But sometimes you could use a second number for personal and professional phone calls and text messages. Or perhaps you’d like a different number to use when you set up accounts at websites.
CELL PHONES
AOL Corp

Here's how to wipe your phone or computer data if it’s lost or stolen

Selling your old tech can put cash in your pocket, but don’t forget your devices store sensitive data that you don’t want a stranger to access. Your smart speaker, for example, knows your location and may even store your voice recordings locally. Tap or click here for steps to wipe and deregister your Amazon Echo before selling it.
TECHNOLOGY
PC Gamer

PC Gamer

8K+
Followers
19K+
Post
1M+
Views
ABOUT

Covering PC gaming for more than 20 years, PC Gamer is the biggest PC gaming website in the world, delivering around-the-clock news, features, eSports coverage, hardware testing and game reviews. PC Gamer also runs the major annual PC Gaming Show at E3, as well as monthly global print editions.

 https://www.pcgamer.com/

Comments / 0

Community Policy