‘Fixed’ Chrome extension flaw could allow hackers to record both your webcam and desktop feeds

Bleeping Computer, a cross-site scripting (XSS) vulnerability in the Screencastify software was reported by security researcher Wladimir Palant on February 14, 2022. Devs behind the Chrome extension promptly sent out a supposed fix, but Palant has made it clear the app is still putting users in a vulnerable position for exploitation, and extortion.

On installing Screencastify, it asks to access your Google Drive and makes a permanent Google OAuth access token for the company's account. The cloud folders created with the token, in which all the users video projects are saved, are allegedly let unhidden. 

Chrome's desktopCapture API and tabCapture permissions are also granted automatically when you install the software, meaning it has the ability to record your desktop too.

On top of this, the software's WebRTC API permission is only requested once, meaning the capture functions are continuously enabled from the get go, unless you switch the setting to 'ask permission' each time. Even then, Palant found that hackers could not only steal the authentication token, but also use the Screencastify app to record without notifying the user at all.

Peak Storage

SATA, NVMe M.2, and PCIe SSDs on blue background

(Image credit: Future)

Best SSD for gaming: the best solid state drives around
Best PCIe 4.0 SSD for gaming: the next gen has landed
The best NVMe SSD: this slivers of SSD goodness
Best external hard drives: expand your horizons
Best external SSDs: plug in upgrades for gaming laptops and consoles

“Not much appears to have changed here, and I could verify that it is still possible to start a webcam recording without any visual clues,” Palant explains in their research blog post.

“The problem was located in the error page displayed if you already submitted a video to a challenge and were trying to submit another one.” And since the error page has a fixed address, “it can be opened directly rather than triggering the error condition.”

Both Bleeping Computer and Palant have contacted Screencastify, but to no avail. 

Here's a quick glance over the Screencastify privacy policy:

“We use security and technology measures consistent with industry standards to try to protect your information and make sure that it is not lost, damaged or accessed by anyone who should not see it.”

“Despite our security measures, we cannot guarantee the absolute security of your personal information.”

Here's hoping the vulnerability is sorted properly, and soon, before rogue employees or hackers start making use of the exploit. Best to use a different platform for the time being, perhaps.