"Screencastify Fixes Bug That Would Have Let Rogue Websites Spy on Webcams"

Screencastify, a Chrome extension used for capturing and sharing videos from websites, was discovered to be vulnerable to a cross-site scripting (XSS) flaw that could have enabled arbitrary websites to trick people into unknowingly activating their webcams. A malicious actor could then download the resulting video from the victim's Google Drive account. Software developer Wladimir Palant, co-founder of ad amelioration biz Eyeo, has shared his findings of the XSS bug, which Screencastify's developers fixed in February. Palant claims the browser extension remains a threat since the code trusts several partner subdomains, and an XSS issue on any of those sites might be exploited to harm Screencastify users. Palant's proof-of-concept (PoC) exploit involved locating an XSS flaw in the Screencastify code, which was not difficult because they are prevalent. XSS is the second most common issue in the OWASP Top 10 and is found in almost two-thirds of all applications. This article continues to discuss the Screencastify Chrome extension XSS vulnerability and how it still poses a risk to users. 

The Register reports "Screencastify Fixes Bug That Would Have Let Rogue Websites Spy on Webcams"