Security News > 2022 > May > Who’s watching your webcam? The Screencastify Chrome extension story…
Screencastify is one example of a browser extension that provides a popular feature that wouldn't be possible via a website alone, namely capturing some or all of your screen so you can share it with other users.
Security researcher Wladimir Palant, himself an extension developer, decided to look into Screencastify, given its popularity.
Palant started by looking at Screencastify's Chrome manifest file, a JSON data file that comes with every extension to specify important information such as name, version number, security policy, update URL, and permissions needed.
One of the entries in a Chrome manifest is a list called externally connectable, which states which extensions, apps and websites are allowed to interact with your extension.
Interestingly, according to Palant, the reason that Screencastify works with full access to Google Drive is that without full access, an extension can't display a list of its own files.
As you would expect, given that Screencastify is all about screen capture with added webcam streaming, externally connectable websites can request access to Chrome's desktopCapture API, to the tabCapture API, and to the WebRTC API. Requests to capture your desktop or browser tabs are less controversial than they might sound, because they always produce an obvious popup dialog to request permission.