Screencastify fixes bug that would have let rogue websites spy on webcams

School-friendly Chrome extension still not fully protected, privacy guru warns


Updated Screencastify, a popular Chrome extension for capturing and sharing videos from websites, was recently found to be vulnerable to a cross-site scripting (XSS) flaw that allowed arbitrary websites to dupe people into unknowingly activating their webcams.

A miscreant taking advantage of this flaw could then download the resulting video from the victim's Google Drive account.

Software developer Wladimir Palant, co-founder of ad amelioration biz Eyeo, published a blog post about his findings on Monday. He said he reported the XSS bug in February, and Screencastify's developers fixed it within a day.

But Palant contends the browser extension continues to pose a risk because the code trusts multiple partner subdomains, and an XSS flaw on any one of those sites could potentially be misused to attack Screencastify users.

The Screencastify page on the Chrome Web Store says that the browser extension has more than 10 million users, which is the maximum value listed by store metrics. As Palant points out, the extension is aimed at the education market, raising some unpleasant possibilities.

"The extension grants screencastify.com enough privileges to record a video via user’s webcam and get the result," he explains in his post. "No user interaction is required, and there are only minimal visual indicators of what’s going on. It’s even possible to cover your tracks: remove the video from Google Drive and use another message to close the extension tab opened after the recording."

What's concerning about this is that the extension code gives several other domains these same privileges: not just Screencastify, via the app.screencastify.com domain, but also Webflow, Teachable, Atlassian, Netlify, Marketo, ZenDesk, and Pendo, each via Screencastify subdomains.

And, Palant says, neither the Screencastify domain or the subdomains delegated to partners have meaningful Content Security Policy protection – a way to mitigate XSS risks.

Palant's proof-of-concept exploit involved finding an XSS bug within the Screencastify code, which wasn't a particularly difficult task because they're quite common. The NIST database lists almost 20,000 of them from 2001 to the present. According to OWASP, "XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications."

Palant found an XSS bug on an error page that gets presented when a user tries to submit a video after already submitting one for an assignment. The page contained a “View on Classroom” button that sent the user to Google Classroom using this code:

window.open(this.courseworkLink);

"It’s a query string parameter," Palant explains in his post. "Is there some link validation in between? Nope. So, if the query string parameter is something like javascript:alert(document.domain), will clicking this button run JavaScript code in the context of the screencastify.com domain? It sure will!"

To make that happen, the attacker would still need to trick the victim into clicking on this button. But as Palant observed, the page contained no protection against framing, meaning it was susceptible to clickjacking. So his proof-of-concept attack did just that, loading the vulnerable page in an invisible frame and positioning it under the mouse cursor so any click would be passed through to the hidden button.

Thereafter, the page could message Screencastify to fetch the victim's Google access token and ask Google for the user's identity. It could also list Google Drive contents or start a recording session.

Palant said he reported the issue on February 14, 2022, and his message was acknowledged the same day. A day later, the XSS on the error page was fixed. The message he received also mentioned a long-term plan to implement Content Security Policy protection, but as of May 23, according to Palant, that hasn't happened on app.screencastify.com nor www.screencastify.com, apart from the addition of framing protection.

The API, he observed, does not appear to have been restricted and will still produce a Google OAuth token that can be used to access a victim's Google Drive, Palant said. So too is the onConnectExternal handler that lets websites start video recordings.

The Register asked Google whether it would care to comment on Palant's observation that Google Drive access is too broadly scoped, but we've not heard back.

"So, the question whether to keep using Screencastify at this point boils down to whether you trust Screencastify, Pendo, Webflow, Teachable, Atlassian, Netlify, Marketo and ZenDesk with access to your webcam and your Google Drive data," he concludes. "And whether you trust all of these parties to keep their web properties free of XSS vulnerabilities. If not, you should uninstall Screencastify ASAP."

Screencastify did not immediately respond to a call and email messages seeking comment. ®

Updated to add

Screencastify responded to Palant's claims last month in a blog post, which said the vulnerability had been addressed.

Palant in response told The Register on May 25th, "In their blog post they claim: 'No subdomains controlled by our partner services have direct messaging access to the latest release of the Chrome extension.'

What they don't say: the change restricting messaging access to five subdomains was introduced in today's release."In a subsequent email, John Black, director of cyber security at Screencastify, said he disagreed with the post's conclusions.

"To clarify, there is no flaw that has been discovered or proven that would allow for the 'No user interaction' scenario," said Black. "Additionally, even if there were a known exploit that would allow an attacker to take advantage of the functionality mentioned in the report, the function that could have allowed an attacker to steal a google token and compromise a user's account has been removed from the extension entirely."

Black emphasized that there's been no known breach of Screencastify's systems or exploitation of its extension. (No such thing was claimed in Palant's post – vulnerabilities like the one that Screencastify addressed present the potential for exploitation but do not indicate any such activity has taken place.) He also said that the privileges extended to partners have been withdrawn.

In short, Black claims all's well.


Other stories you might like

  • TikTok: Yes, some staff in China can access US data
    We thought you guys were into this whole information hoarding thing

    TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

    "100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

    That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

    Continue reading
  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • California state's gun control websites expose personal data
    And some of it may have been leaked on social media

    A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.

    According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.

    In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards. 

    Continue reading
  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading

Biting the hand that feeds IT © 1998–2022