The new Chrome version recently released by Google in the project’s beta channel could pose substantial security risks because of its new capabilities for accessing multimedia hardware of the computer, IT experts warned.
Mountain View shipped the new Chrome beta with the first implementation of the getUserMedia API, a JavaScript interface designed to let HTML5 web “applications” to directly access the PC’s camera and microphone with no need for an external plug-in like the ubiquitous Flash Player by Adobe.
Google presented getUserMedia API as the first, tangible step in the WebRTC project, “a new real-time communications standard that aims to allow high-quality video and audio communication on the web”. But the ability to access a computer’s camera and mic with full control over the hardware is a security risk that could overshadow the “cool new experiences” Google is touting for Chrome, experts suggested.
Trend Micro’s Rik Ferguson describes the getUserMedia tech as especially attractive for cyber-criminals and malware writers. “We have already seen both banking malware and of course targeted threats that make use of the video hardware of the victim through the installation of malware”, Ferguson states, and thanks to the new HTML5 API “the criminal simply has to make a JavaScript that requests access to the video and/or audio hardware”.
With the getUserMedia API there is no need to create a (hidden) record of the conversation or video footage from the PC’s camera to upload on-line, Ferguson explains, because the JavaScript code will simply stream the audio and video feeds back to the cyber-criminal directly from within the browser window.
Sean Sullivan, security advisor of F-Secure, is unimpressed and worried about getUserMedia too: Sullivan fears in particular new “click-jacking” malware, malicious code that could automatically enable the audio&video recording by simply “hijacking” the confirmation clicks from the user’s browser.
Another reason for being worried about the new API is the effort made by Google to secure its backend code: “Imagine if you were to use voice search”, Sullivan said, “but somehow the mic failed to stop recording and collected too much information – à la Google Street View”. Talk about another gigantic privacy failure like the one that haunted Google legal counsellors worldwide.
Source: The Inquirer.
20 Comments - Add comment