Screencastify, a preferred Chrome extension for capturing and sharing movies from web-sites, was lately observed to be vulnerable to a cross-web page scripting (XSS) flaw that allowed arbitrary internet sites to dupe persons into unknowingly activating their webcams.
A miscreant taking gain of this flaw could then down load the ensuing online video from the victim’s Google Push account.
Software package developer Wladimir Palant, co-founder of ad amelioration biz Eyeo, revealed a blog publish about his findings on Monday. He claimed he reported the XSS bug in February, and Screencastify’s builders fastened it inside a working day.
But Palant contends the browser extension continues to pose a hazard since the code trusts many husband or wife subdomains, and an XSS flaw on any one of these web-sites could most likely be misused to attack Screencastify consumers.
The Screencastify site on the Chrome Internet Retail outlet says that the browser extension has a lot more than 10 million customers, which is the most price outlined by store metrics. As Palant factors out, the extension is aimed at the instruction current market, raising some unpleasant possibilities.
“The extension grants screencastify.com sufficient privileges to file a video by using user’s webcam and get the final result,” he describes in his post. “No person interaction is necessary, and there are only negligible visible indicators of what is going on. It’s even doable to address your tracks: take out the online video from Google Drive and use another concept to near the extension tab opened just after the recording.”
What’s concerning about this is that the extension code presents several other domains these same privileges: not just Screencastify, by means of the
app.screencastify.com area, but also Webflow, Teachable, Atlassian, Netlify, Marketo, ZenDesk, and Pendo, every by means of Screencastify subdomains.
And, Palant states, neither the Screencastify domain or the subdomains delegated to partners have significant Written content Safety Policy protection – a way to mitigate XSS dangers.
Palant’s proof-of-strategy exploit involved acquiring an XSS bug within the Screencastify code, which was not a significantly challenging process since they’re very common. The NIST database lists practically 20,000 of them from 2001 to the existing. According to OWASP, “XSS is the 2nd most prevalent problem in the OWASP Prime 10, and is observed in all around two thirds of all programs.”
Palant uncovered an XSS bug on an mistake web site that receives offered when a user tries to submit a online video following already distributing 1 for an assignment. The page contained a “View on Classroom” button that despatched the consumer to Google Classroom applying this code:
“It is a query string parameter,” Palant explains in his write-up. “Is there some link validation in concerning? Nope. So, if the query string parameter is one thing like
screencastify.com domain? It guaranteed will!”
To make that happen, the attacker would continue to have to have to trick the sufferer into clicking on this button. But as Palant noticed, the website page contained no defense from framing, which means it was prone to clickjacking. So his proof-of-notion assault did just that, loading the vulnerable site in an invisible body and positioning it less than the mouse cursor so any simply click would be handed via to the hidden button.
Thereafter, the web page could information Screencastify to fetch the victim’s Google access token and question Google for the user’s id. It could also record Google Travel contents or commence a recording session.
Palant said he noted the concern on February 14, 2022, and his information was acknowledged the identical working day. A day afterwards, the XSS on the mistake site was preset. The information he received also mentioned a extended-time period plan to put into practice Content material Security Plan protection, but as of May possibly 23, in accordance to Palant, that has not transpired on
www.screencastify.com, aside from the addition of framing defense.
The API, he noticed, does not look to have been restricted and will however produce a Google OAuth token that can be utilised to entry a victim’s Google Travel, Palant stated. So way too is the onConnectExternal handler that allows internet websites commence video recordings.
The Sign-up asked Google whether or not it would treatment to comment on Palant’s observation that Google Travel accessibility is also broadly scoped, but we’ve not listened to again.
“So, the dilemma no matter if to keep employing Screencastify at this stage boils down to whether you trust Screencastify, Pendo, Webflow, Teachable, Atlassian, Netlify, Marketo and ZenDesk with accessibility to your webcam and your Google Travel information,” he concludes. “And whether or not you trust all of these events to maintain their web attributes cost-free of XSS vulnerabilities. If not, you must uninstall Screencastify ASAP.”
Screencastify did not immediately answer to a get in touch with and email messages in search of remark. ®