Screencastify, A properly-appreciated Chrome extension for capturing and sharing movies from internetweb websites, was recently found to be weak to a cross-website scripting (XSS) flaw that allowed arbitrary internetweb websites to dupe people into unknowingly activating their internetcams.
A miscreant Benefiting from this flaw might then acquire the ensuing video from the sufferer’s Google Drive account.
Computer software developer Wladvertimir Palant, co-Founding father of advert amelioration biz Eyeo, revealed a weblog submit about his discoverings on Monday. He said he reported the XSS bug in February, and Screencastify’s builders fixed it inside a day.
However Palant contends the browser extension continues to pose a hazard as a Outcome of the code notions a quantity of companion subareas, and an XSS flaw on any A Sort of internet web websites might probably be misused to assault Screencastify clients.
The Screencastify Website on the Chrome Web Retailer says thOn the browser extension has Greater than 10 million clients, which is The utmost worth itemizinged by store metrics. As Palant factors out, the extension is aimed On the education market, elevating some disagreeable prospects.
“The extension grants screencastify.com enough privileges to doc a video by way of consumer’s internetcam and get the Outcome,” he explains in his submit. “No consumer interplay is required, and there are solely minimal seen indicators of what’s Occurring. It’s even potential to cowl your tracks: take away the video from Google Drive and use ancompletely different message To close the extension tab opened after the docing.”
What’s regarding about That is thOn the extension code provides a quantity of completely different areas these similar privileges: not simply Screencastify, by way of the app........
Source: https://www.theregister.com/2022/05/24/screencastify_chrome_extension_patched/