Say “Cheese” to your Google Chrome

A newly discovered vulnerability in a popular browser exposes how photos can be taken of unsuspecting users.

cheese

Further proof of hackers’ inventiveness appeared last week in the form of a report regarding a simple trick that allows individuals to take photos of users browsing the web with Google Chrome – the most popular browser today.

We are not yet aware of usage of this Chrome imperfection in real-world attacks, but simplicity and efficiency of this trick makes us once again think about today’s free flow of private information.

As you might know, Adobe Flash can use a microphone and a web camera to interact with a user; it must ask user’s permission beforehand though. But it turns out in Chrome it’s possible to put an image over this security dialog, effectively masking it. Users still have to click the “allow” button, so an overlaying image has to have some kind of compelling interaction on it – in the screenshot down here, it’s a “Play” button.

One mouse click – and your photo is ready and uploaded to a hacker’s server. Most laptops light up a special indicator when web camera is on, but even if you notice it – it’s already too late. The most affected platforms are Windows 7, 8, Mac OS X and some versions of Linux.

Chrome

User photos don’t look like valuable loot, but it could be of use to cybercriminals, e.g., for identity theft. Moreover, it’s possible to switch on a microphone in the same way and it won’t produce any noticeable effects, making it easier for hackers to discretely record a user’s conversations.

We are not yet aware of usage of this Chrome imperfection in real-world attacks, but simplicity and efficiency of this trick makes us once again think about today’s free flow of private information. Users cannot even predict, who, when and to what extent their information is collected and how it’s being used later. The problem is most daunting for smartphone applications. “Harmless” web browsing leaks more than just your web browsing history – third party sites can access your exact location and physical environment via camera and microphone. It is quite complicated to make web browsing truly private, but privatizing users’ location and camera is easier. Because these functions are rarely used, it’s possible to disable them using “Advanced” settings of Google Chrome. If you encounter (once a month, once a year, etc) a site requiring these tools, it will take about 10 seconds to temporarily switch location/camera on and turn it off a little bit later.

  • Share
  • Pin It

Comments

  1. homakov says:

    why url homakov…… is removed

    1. Serge Malenkovich says:

      Egor, we don’t link sites with exploits, even proof-of-concept.

  2. marko says:

    Did Kaspersky do anything to warn users of sites exploiting this? I suppose that phishing component should be acting in this case?

    1. Kaspersky Team says:

      Hi Marko,

      Whenever we find new vulnerabilities to tell users about we share a post on the topic both on our blog and on our Facebook page. Be sure to follow us to stay up to date on the latest news.

      Best,
      Kaspersky Team