It isn’t a secret anymore that browsers (or any application for that matter) record users’ information and even use it. Unfortunately, it seems Chrome browser too has joined this ‘league’. The latest privacy issues found in HTML 5 video and audio API on desktop Chrome has put us in this dilemma. It is basically a JavaScript code of initiating the access to the audio and video devices. When it runs, it makes the Chrome browser to ask the user to grant a general usage permission. These permission requests look same as any other permission request:
Users often grant such permission considering its Chrome browser and maybe it’s harmless. Besides, nowadays, many websites ask for such permissions. Though Chrome has its own line of defense activated to prevent such recordings; there is still a slight chance of developers to exploit small UX manipulation to activate the MediaRecorder API without alerting the users. Thus, the recording may happen without users’ knowledge.
What exactly happens behind the scenes with Chrome Browser
This whole thing starts with one feature that comes with the new HTML 5 API. It allows users to grab the audio or video output right from the browser. Now, the native Windows interfaces or browser plugins are no more needed for this task. In fact, Firefox, Chrome Browser and very soon Edge browser will allow any JavaScript code to gain access to the devices with camera and microphone.
Of course, granting access to audio or video on these devices also gives rise to further hazards such as exposing devices to vulnerabilities. However, to prevent such hazards the browsers developers created two barriers that should prevent or at least mitigate privacy violation. Following is the code that makes the Chrome browser to ask permission.
After getting the user general permission for video and audio usage, the developer get access to the stream of data from those devices. But in order to use this stream, the developer needs to record it. It is done by using MediaRecorder API.
However, as mentioned before, developers can do a small UX manipulation which can make MediaRecorder API work without sending any alert to the users. In this case, Chrome browser won’t have any visual indication that any sort of recording is happening.
Chrome has been made aware about this issue. Until this issue is acknowledged and resolved by Chrome, users are advised to be cautious about granting permissions online, says medium.com.
