![]() ![]() ![]() ![]() No user interaction is required, and there are only minimal visual indicators of what’s going on. Let’s sum up: the extension grants enough privileges to record a video via user’s webcam and get the result. As we remember, the website can get the access token necessary to download it from there. ![]() sendMessage ( "mmeijimgabbpbgpdklnllpncmdofkcpn", ) Īnd with the default settings, the recorded video will be automatically uploaded to Google Drive. As far as I can tell, with these changes the issue can no longer be exploited.Ĭhrome. all five subdomains with privileged access to the extension are run by Screencastify themselves. Update (): Screencastify reduced the attack surface further by no longer granting websites access to the user’s Google Drive. Now it’s only five subdomains, run by Screencastify and one other vendor. of the extension released today restricted the attack surface considerably. As this certainly won’t be their last Cross-site Scripting vulnerability, I sincerely recommend staying clear of this browser extension. The extension is being marketed for educational purposes and gained significant traction in the current pandemic.Īs of now, it appears that Screencastify only managed to address the Cross-site Scripting vulnerability which gave arbitrary websites access to the extension’s functionality, as opposed to “merely” Screencastify themselves and a dozen other vendors they work with. Chrome Web Store shows “10,000,000+ users” for it which is the highest number it will display – same is shown for extensions with more than 100 million users. Screencastify is a browser extension that aids you in creating a video recording of your entire screen or a single window, optionally along with your webcam stream where you explain what you are doing right now. The website could then steal the video from the user’s Google Drive account that it was uploaded to, along with anything else that account might hold. A website that a user visited could trick the extension into starting a webcam recording among other things, without any indications other than the webcam’s LED lighting up if present. These are a bluff of course, but the popular Screencastify browser extension actually provides all the infrastructure necessary for someone to pull this off. Everyone has received the mails trying to extort money by claiming to have hacked a person’s webcam and recorded a video of them watching porn. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |