As far as I can tell, with these changes the issue can no longer be exploited.Ĭhrome. all five subdomains with privileged access to the extension are run by Screencastify themselves. Update (): Screencastify reduced the attack surface further by no longer granting websites access to the user’s Google Drive. Now it’s only five subdomains, run by Screencastify and one other vendor.
of the extension released today restricted the attack surface considerably. As this certainly won’t be their last Cross-site Scripting vulnerability, I sincerely recommend staying clear of this browser extension. The extension is being marketed for educational purposes and gained significant traction in the current pandemic.Īs of now, it appears that Screencastify only managed to address the Cross-site Scripting vulnerability which gave arbitrary websites access to the extension’s functionality, as opposed to “merely” Screencastify themselves and a dozen other vendors they work with. Chrome Web Store shows “10,000,000+ users” for it which is the highest number it will display – same is shown for extensions with more than 100 million users. Screencastify is a browser extension that aids you in creating a video recording of your entire screen or a single window, optionally along with your webcam stream where you explain what you are doing right now. The website could then steal the video from the user’s Google Drive account that it was uploaded to, along with anything else that account might hold. A website that a user visited could trick the extension into starting a webcam recording among other things, without any indications other than the webcam’s LED lighting up if present. These are a bluff of course, but the popular Screencastify browser extension actually provides all the infrastructure necessary for someone to pull this off.
Everyone has received the mails trying to extort money by claiming to have hacked a person’s webcam and recorded a video of them watching porn.
0 kommentar(er)
