Screencastify Issue Could Allow Someone To Steal Recorded Videos Comments Off on Screencastify Issue Could Allow Someone To Steal Recorded Videos
Are you one of the legions of users making use of the Screencastify Chrome extension? It's a fantastic Chrome extension that allows you to almost effortlessly create screencasts for a variety of purposes.
Unfortunately, the web extension also suffers from a critical security vulnerability that allows attackers to take control of a user's webcam and steal recorded videos.
The cross-site scripting (XSS) vulnerability that made this possible was reported by independent security researcher Wladimir Palant and it was reported on Valentine's Day of this year (February 14, 2022). The vendor that created the extension responded quickly to the reported flaw and issued a fix just days after the issue was reported to them.
While we applaud the rapid response, unfortunately, the fix didn't completely address the issue and it may still be possible. Although the threat from external attackers has been eliminated. Unfortunately, three months later the lingering issues that could allow an unscrupulous insider to make the same kind of attack remain unaddressed.
That's problematic because Screencastify boasts more than ten million installations worldwide on the Chrome store. The total number of installations may be significantly higher, but the site's counter only goes to ten million.
The extension's popularity exploded during the pandemic because it represented such a quick and easy solution to a problem that only emerged when tens of millions of people around the world started working from home.
Mr. Palant sums up the core issue thusly:
"The problem was located in the error page displayed if you already submitted a video to a challenge and were trying to submit another one. This error page is located under a fixed address, so it can be opened directly rather than triggering the error condition."
In any case, if you use the extension just be aware of the risks associated with it. There is no word from the vendor on if or when another fix might be coming.