Tuesday, January 31, 2023
HomeCyber SecurityWho’s watching your webcam? The Screencastify Chrome extension story… – Naked Security

Who’s watching your webcam? The Screencastify Chrome extension story… – Naked Security


We’ve often warned about the risks of browser extensions – not just for Chrome, but for any browser out there.

That’s because browser extensions aren’t subject to the same strict controls as the content of web pages you download, otherwise they wouldn’t be extensions

…they’d basically just be locally-cached web pages.

An ad-blocker or a password manager that was locked down so it worked on exactly one website wouldn’t be much use; a tab manager that could only manage one tab or site at a time wouldn’t be very helpful; and so on.

Web pages aren’t supposed to be able to override any controls imposed by the browser itself, so they can’t alter the address bar to display a bogus servername, or bypass the Are you sure? dialog that verifies you really did want to download that Word document to your hard disk.

Browser extensions, on the other hand, are supposed to be able, well, to extend and alter the behaviour of the browser itself.

Amongst other things, browser extensions can:

  • Peek at what is about to be shown in each tab after it’s been decrypted.
  • Modify what finally gets displayed.
  • See and tweak everything you type in or upload before it gets transmitted.
  • Read and write files on your local hard disk.
  • Launch or monitor other programs.
  • Access hardware such as webcams and microphones.

Screencastify is one example of a browser extension that provides a popular feature that wouldn’t be possible via a website alone, namely capturing some or all of your screen so you can share it with other users.

The extension boasts 10,000,000+ users (apparently, there is no higher category, no matter how many users you get to), and invites you, in its own description, to:

Security researcher Wladimir Palant, himself an extension developer, decided to look into Screencastify, given its popularity.

Earlier this week, he published what he found.

Amongst other things, his report is a well-written reminder of just how difficult it can be to work out who’s involved in the web of trust you need to have when you decide to use an app or service from company X.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments