Security News > 2022 > May > Screencastify Chrome extension flaws allow webcam hijacks
The popular Screencastify Chrome extension has fixed a vulnerability that allowed malicious sites to hijack users' webcams and steal recorded videos.
Screencastify is a screen recorder, video editor, and media sharing browser extension with over 10,000,000 installs on the Chrome web store.
An XSS vulnerability existing in the extension allowed any site to enable Screencastify to record a video, which would be uploaded to Google Drive.
To make matters worse, the researcher developed a PoC exploit attackers could use to launch the webcam of users of the Screencastify extension without indicating the action.
While Screencastify fixed the XSS vulnerability that allowed any malicious site to hijack webcams, problems still exist that could allow an employee or compromised site to silently record videos from Screencastify user's devices.
Even if XSS flaws were to be addressed by all of the companies that use Screencastify, the question of trust towards these entities remains, as choosing to use the extension is entrusting third parties with full access to your Google Drive contents.