Who’s watching your webcam? The Screencastify Chrome extension story… – Naked Security

We’ve often warned about the risks of browser extensions – not just for Chrome, but for any browser out there.

That’s because browser extensions aren’t subject to the same strict controls as the content of web pages you download, otherwise they would not be extensions

… They’d basically just be locally-cached web pages.

An ad-blocker or a password manager that was locked down so it worked on exactly one website would not be much use; a tab manager that could only manage one tab or site at a time would not be very helpful; and so on.

Web pages aren’t supposed to be able to override any controls imposed by the browser itself, so they can not alter the address bar to display a bogus servername, or bypass the Are you sure? dialog that verifies you really did want to download that Word document to your hard disk.

Browser extensions, on the other hand, are supposed to be able, well, to extend and alter the behavior of the browser itself.

Amongst other things, browser extensions can:

  • Peek at what is about to be shown in each tab after it’s been decrypted.
  • Modify what finally gets displayed.
  • See and tweak everything you type in or upload before it gets transmitted.
  • Read and write files on your local hard disk.
  • Launch or monitor other programs.
  • Access hardware such as webcams and microphones.

Screencastify is one example of a browser extension that provides a popular feature that would not be possible via a website alone, namely capturing some or all of your screen so you can share it with other users.

The extension boasts 10,000,000+ users (apparently, there is no higher category, no matter how many users you get to), and invites you, in its own description, to:

Security researcher Wladimir Palant, himself an extension developer, decided to look into Screencastifygiven its popularity.

Earlier this week, he published what he found.

Amongst other things, his report is a well-written reminder of just how difficult it can be to work out who’s involved in the web of trust you need to have when you decide to use an app or service from company X.

Related posts


Latest posts

Threat Intelligence Services Are Universally Valued by IT Staff

Almost all IT professionals believe that threat intelligence services and feeds will help their company get ready for and repulse malware attacks. Only...

Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022. ...

APAC companies are failing to build successful digital models: Forrester

Approximately 61% of APAC organizations have failed to build robust and successful digital business business models, primarily due to unsound practices of enterprise architecture...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!