Ever get that feeling you’re being watched? If you’ve currently got the Screencastify Chrome extension active, you could be. A flaw the company claimed was ‘fixed’ may still allow malicious actors to access unsuspecting users’ webcam and desktop activity, and record it for whatever they see fit.
You’ve probably seen these ‘sextortion’ emails: “We have a recording of you doing X, Y, Z. Send us $10,000 in some obscure cryptocurrency or we’ll release the vid for all the world to see.”
With over 10,000,000 installs, Screencastify caters to a range of companies such as Webflow, Teachable, Atlassian, Netlifyrunning, Marketo, and ZenDesk. It’s an extension that lets users record, edit and submit video content for work and school projects, so users include teachers, and schoolchildren at various stages of their education. I can only imagine the panic from parents when the vulnerability was discovered, and their potential fury knowing it still hasn’t been properly fixed.
According to Bleeping Computer (opens in new tab), a cross-site scripting (XSS) vulnerability in the Screencastify software was reported by security researcher Wladimir Palant on February 14, 2022. Devs behind the Chrome extension promptly sent out a supposed fix, but Palant has made it clear the app is still putting users in a vulnerable position for exploitation, and extortion.
On installing Screencastify, it asks to access your Google Drive and makes a permanent Google OAuth access token for the company’s account. The cloud folders created with the token, in which all the users video projects are saved, are allegedly let unhidden.
Chrome’s desktopCapture API and tabCapture permissions are also granted automatically when you install the software, meaning it has the ability to record your desktop too.
On top of this, the software’s WebRTC API permission is only requested once, meaning the capture functions are continuously enabled from the get go, unless you switch the setting to ‘ask permission’ each time. Even then, Palant found that hackers could not only steal the authentication token, but also use the Screencastify app to record without notifying the user at all.
“Not much appears to have changed here, and I could verify that it is still possible to start a webcam recording without any visual clues,” Palant explains in their research blog post (opens in new tab).
“The problem was located in the error page displayed if you already submitted a video to a challenge and were trying to submit another one.” And since the error page has a fixed address, “it can be opened directly rather than triggering the error condition.”
Both Bleeping Computer and Palant have contacted Screencastify, but to no avail.
Here’s a quick glance over the Screencastify privacy policy:
“We use security and technology measures consistent with industry standards to try to protect your information and make sure that it is not lost, damaged or accessed by anyone who should not see it.”
“Despite our security measures, we cannot guarantee the absolute security of your personal information.”
Here’s hoping the vulnerability is sorted properly, and soon, before rogue employees or hackers start making use of the exploit. Best to use a different platform for the time being, perhaps.
