Security issues caused by the WebRTC feature in Chrome browser

What is WebRTC?

Web Real-Time Communication (WebRTC) is a collection of communications protocols and APIs originally developed by Google that enables real-time voice and video communication over peer-to-peer connections.

WebRTC is a set of protocols and APIs that allow web browsers to request real-time information from the browsers of other users, enabling real-time peer-to-peer and group communication including voice, video, chat, file transfer, and screen sharing.

WebRTC implements STUN (Session Traversal Utilities for Nat), a protocol that allows the discovery of your externally assigned IP address as well as your local IP address also.

 

How secure is WebRTC?

WebRTC works from browser to browser, you don’t need to download any software or plugins in order to set up a video conference or VOIP call. All the security that you need is already contained within your browser and the WebRTC platform. Some of the inbuilt security features contained within the WebRTC platform include:

  • End-to-end encryption between peers
  • Datagram Transport Layer Security (DTLS)
  • Secure Real-Time Protocol (SRTP)

End-to-End Encryption

Encryption is built into WebRTC as a permanent feature and addresses all security concerns effectively. Regardless of what server or compatible browser you’re using, private peer-to-peer communication is safe thanks to WebRTC’s advanced end-to-end encryption features.

Data Transport Layer Security (DTLS)

Any data that is transferred through a WebRTC system is encrypted using the Datagram Transport Layer Security method. This encryption is already built-in to compatible web browsers (Firefox, Chrome, Opera) so that eavesdropping or data manipulation can’t happen.

Secure Real-Time Protocol (SRTP)

In addition to offering DTLS encryption, WebRTC also encrypts data through Secure Real-Time Protocol, which safeguards IP communications from hackers, so that your video and audio data is kept private.

Camera and Microphone Security

Unlike some other video and audio conferencing software, WebRTC requires the user to enable access to their microphone and camera before communications begin. Typically, a pop-up box will appear in your web browser, asking you to allow the program access. The image below shows what a webcam and microphone permission pop-up might look like on a chrome browser.

Security issue caused by the WebRTC feature in Chrome

It is well known that the WebRTC feature in Chrome will leak your IP address even if you are behind a proxy server or using a VPN service. While most people who do not use proxy or VPN reveals their IP addresses to whatever web server they visit all the time, the IP address is the most easily accessible piece of information to track a website visitor.

For the minimum, big companies such as Google and Facebook are using the IP addresses to analyzing your habits and behavior and send your highly-targeted ads. While most people are fine with targeted ads, there are people who don’t like to be tracked at all for whatever reason. They will choose to use either proxy or VPN service to avoid being tracked. However, in a browser which supports WebRTC, including Chrome, Slimjet, and Firefox, the website owner can easily obtain the website visitor’s/user’s true IP addresses, but also their local network address too, by a simple piece of JavaScript.

In addition to that, the WebRTC Media Device Enumeration API also enables the website owner to obtain a unique media device id from the user, which can be used to uniquely identify the visitor.

How to verify the IP leakage issue caused by WebRTC?

Here are three websites which can let you detect if your browser is liable to the IP leakage issue caused by WebRTC:

How to prevent the IP leakage caused by WebRTC?

WebRTC Control: http://bit.ly/29aqJnt

Test it: https://www.browserleaks.com/webrtc

Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication

What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge?

A UX design flaw in the Google’s Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on.

AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way.

Here’s the lowdown. Once you give a site permission to use your microphone or camera, Chrome assumes that site will have permission to do so in the future. That means every instance of that site, every page on that site, also has access to your camera and microphone, meaning a sketchy site owner could throw up a pop-under window in the background that’s listening in to everything you say, or worse, listening and set to trigger some action (like recording) when you say specific words or phrases.

After reporting it to Google, For their part, Google doesn’t see it as a problem and says it’s in compliance with W3C (the World Wide Web Consortium) standards. Google does have a point: In order for the issue to be a real threat, not only do you have to visit a site that would want to record your speech, you’d have to grant it access to your microphone, and then you’d have to not notice a pop-under window from that site lingering in the background.

Google consider this a security vulnerability or not, but the bug is surely a privacy issue, which could be exploited by hackers to potentially launch more sophisticated attacks.

In order to stay on the safer side, simply disable WebRTC which can be done easily if you don’t need it. But if you require the feature, allow only trusted websites to use WebRTC and look for any other windows that it may spawn afterward on top of that.

Following such privacy concerns, even Facebook CEO Mark Zuckerberg and former FBI director James Comey admitted that they put tape on their laptops just to be on the safer side.

Although putting a tape over your webcam would not stop hackers or government spying agencies from recording your voice, at least, it would prevent them from watching or capturing your live visual feeds.

If you want to block your camera and Microphone, follow the steps given below:

To improve your Chrome security settings, go to the Settings area, which can be accessed in the top right corner of the browser.

WebRTC-1 Click on Settings –> Advanced Settings –> Content Settings –> Block Camera and Microphone

or  type in the Chrome browser chrome://settings/content –> Block Camera and Microphone.

What Is My Browser – Displays fingerprinting information such as the local and remote IP address, browser, plugins, location, screen resolution and more.

http://ip-check.info/?lang=en << JonDonym

Happy and Safe browsing 🙂

Source: ghacksthehackernewsslimjettwilio,  heimdalsecurity

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s