Chrome extension ‘Fixed’ flaw could allow hackers to record feeds from your webcam and desktop

Have you ever had that feeling that you’re being watched? If you currently have the Screencastify Chrome extension enabled, you might be. A flaw the company claimed to have been ‘fixed’ could still allow malicious actors to access the webcam and desktop activity of unsuspecting users and log it to whatever they see fit.

You’ve probably seen these ‘sextortion’ emails: “We have a recording of you doing X, Y, Z. Send us $10,000 in some shady cryptocurrency or we’ll release the video for the whole world to see.”

With over 10,000,000 installs, Screencastify serves a variety of companies such as Webflow, Teachable, Atlassian, Netlifyrunning, Marketo, and ZenDesk. It is an extension that allows users to record, edit and upload video content for work and school projects, so users can include teachers and students at various stages of their education. I can only imagine the parents’ panic when the vulnerability was discovered, and their potential fury knowing that it still hasn’t been properly corrected.

According computer beeping (opens in new tab)A cross-site scripting (XSS) vulnerability in the Screencastify software was reported by security researcher Wladimir Palant on February 14, 2022. The developers behind the Chrome extension immediately submitted an alleged fix, but Palant made it clear that the application still is putting users in a vulnerable position for exploitation and extortion.

When installing Screencastify, it requests access to your Google Drive and creates a permanent Google OAuth access token for the company account. Cloud folders created with the token, in which all users’ video projects are saved, are supposed to be displayed.

Chrome’s desktopCapture API and tabCapture permissions are also automatically granted when you install the software, which means it can also record your desktop.

Also, the software’s WebRTC API permission is only asked once, which means the capture functions are continuously enabled from the start unless you toggle the setting to ‘ask for permission’ each time. Even so, Palant found that hackers could not only steal the authentication token, but also use the Screencastify app to record without notifying the user at all.

“It doesn’t seem to have changed much here, and I could see that it’s still possible to start a webcam recording without any visual cues,” explains Palant in his research blog (opens in new tab).

“The issue was located on the error page displayed if you have already submitted a video to a challenge and were trying to submit another one.” And since the error page has a fixed address, “it can be opened directly instead of triggering the error condition”.

Both Bleeping Computer and Palant contacted Screencastify, but to no avail.

Here’s a quick look at Screencastify’s privacy policy:

“We use security measures and technology consistent with industry standards to try to protect your information and ensure it is not lost, damaged or accessed by anyone who shouldn’t see it.”

“Despite our security measures, we cannot guarantee the absolute security of your personal information.”

We hope that the vulnerability is classified correctly and soon, before rogue employees or hackers start using the exploit. Better to use a different platform for now, perhaps.

Leave a Comment