Security News > 2022 > May > Screencastify fixes bug that would have let rogue websites spy on webcams
Screencastify, a popular Chrome extension for capturing and sharing videos from websites, was recently found to be vulnerable to a cross-site scripting flaw that allowed arbitrary websites to dupe people into unknowingly activating their webcams.
Palant contends the browser extension continues to pose a risk because the code trusts multiple partner subdomains, and an XSS flaw on any one of those sites could potentially be misused to attack Screencastify users.
The Screencastify page on the Chrome Web Store says that the browser extension has more than 10 million users, which is the maximum value listed by store metrics.
Palant says, neither the Screencastify domain or the subdomains delegated to partners have meaningful Content Security Policy protection - a way to mitigate XSS risks.
Palant's proof-of-concept exploit involved finding an XSS bug within the Screencastify code, which wasn't a particularly difficult task because they're quite common.
"So, the question whether to keep using Screencastify at this point boils down to whether you trust Screencastify, Pendo, Webflow, Teachable, Atlassian, Netlify, Marketo and ZenDesk with access to your webcam and your Google Drive data," he concludes.