Screencastify does not protect users of its Chrome extension from webcam hackers / Digital Information World
Screencastify and webcam hijacking have been well known for a long time. With many flaws, for starters, Screencastify originally had a major problem with webcam hackers failing to protect its users. However, with recent updates, the issue has been resolved but not completely. According to a report, there are still some malicious hijackers that would enter cameras and steal videos very quickly.
After Screencastify was reported by a security researcher, the maintainer immediately fixed it. However, many issues remain the same – unattended, and it still has the same issues it has had for many years with regards to security. Although the problem was reported in mid-February, the problem is not going away.
The security researcher Wladimir Palant, who notified the vendor of the problem, has now taken it upon themselves to warn users and potential future users of Screencastify about its hidden issues. He pointed out that the issue has still not been resolved even after months of reporting it while the platform is so huge that even apps are associating themselves with it, putting thousands of people at risk.
What is Screencastify?
Screencastify is a platform that lets you record videos, share them, and even edit them. It is a Chrome install and has over ten million installs. Although the tool was not a big hit before the pandemic, it kicked off after the pandemic attack. Since it is a convenient platform and people are unaware of its risks, its popularity is not surprising.
However, what users do not know is that the platform asks for access to one of the fundamental domains, thus receiving permission to access all the capture functions. This puts users at great risk in case of hacking. Also, there is no special request to grant these permissions as it happens automatically after the installation is complete.
Why is Screencastify dangerous?
If it wasn’t already clear enough, Screencastify has several bugs in its system that put user safety at risk. The first is an XSS vulnerability that has already caused many problems in other Google platforms like Google Drive.
The extension also consists of a PoC exploit. The exploit is quite dangerous as the hijackers can use it to gain access to any webcam they want without even hinting the user of such an invasion.
The action begins by tricking users into clicking a “Show on Classroom” option through which the attacker can enter the user’s camera using the XSS vulnerability. This happens after the Chrome extension token has been disabled by clicking the bait.
Why didn’t Screencastify fix the problem?
Screencastify solved the problem, but not everything. The platform can no longer be hacked by random hackers like the XSS vulnerability. However, the webcams are still accessible to people in the company or those working for applications related to the extension. Since Screencastify is used by several applications, the risk is quite high.
What is annoying is that no security policy has been established and the latest version does not have any updated flaws. Even if the extension corrects its flaws now, the question is whether users will ever be able to trust it again?
Read next: Online accounts that aren’t even registered can also be hacked by hackers