Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Google Chrome 21 and getUserMedia API - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Google Chrome 21 and getUserMedia API

Google yesterday released Chrome 21, the latest version of Google's browser. In addition to the usual set of bug fixes (including some critical security patches), Chrome now joins Opera with support for the getUserMedia API.

getUserMedia is part of the larger HTML 5 ecosystem. HTML 5 includes not just new HTML tags. It is frequently used to represent a larger set of emerging standards for various browser APIs. getUserMedia will allow javascript to access microphones and cameras, something that hasn't been possible so far without special plugins. Usually Flash was used to collect images.

The getUserMedia API itself is part of "WebRTC". WebRTC ("Real Time Communication") will allow direct communication between browser. With WebRTC and getUserMedia, it will be possible to implement a video calling application using just HTML/Javascript without any plugins or other software.

From a security point of view, the critical problem is to protect the user from accidentally turning on the microphone and camera, or for a web application to turn it on without user permission. Google Chrome will show a warning message, asking the user for permission. Flash uses its own warning for this purpose, and has been subject to some clickjacking exploits that could be used to trick a user into giving it permission to use the camera/microphone.

This API has not been finalized yet. Expect changes, and bugs. Firefox will support it in version 16 (current . There is no word about support in Safari, but it is likely going to follow. If you wnat to experiment with it, see http://www.html5rocks.com/en/tutorials/getusermedia/intro/ for details and a demo.

Problably the best list of supported features by browser can be found at http://html5test.com

cmaera permission dialog in opera
Camera Permission Dialog in Opera

camera permission dialog in Chrome 
Camera Permission Dialog in Chrome
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Jose 2019

Johannes

3580 Posts
ISC Handler
Yeah, I'm not taking the black tape off my laptop's camera any time soon.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!