'Fixed' Chrome extension flaw could allow hackers to record both your webcam and desktop feeds

pcgamer.com:

Ever get that feeling you're being watched? If you've currently got the Screencastify Chrome extension active, you could be. A flaw the company claimed was 'fixed' may still allow malicious actors to access unsuspecting users' webcam and desktop activity, and record it for whatever they see fit. 

You've probably seen these 'sextortion' emails: «We have a recording of you doing X, Y, Z. Send us $10,000 in some obscure cryptocurrency or we'll release the vid for all the world to see.» 

With over 10,000,000 installs, Screencastify caters to a range of companies such as Webflow, Teachable, Atlassian, Netlifyrunning, Marketo, and ZenDesk. It's an extension that lets users record, edit and submit video content for work and school projects, so users include teachers, and schoolchildren at various stages of their education. I can only imagine the panic from parents when the vulnerability was discovered, and their potential fury knowing it still hasn't been properly fixed.

According to Bleeping Computer(opens in new tab), a cross-site scripting (XSS) vulnerability in the Screencastify software was reported by security researcher Wladimir Palant on February 14, 2022. Devs behind the Chrome extension promptly sent out a supposed fix, but Palant has made it clear the app is still putting users in a vulnerable position for exploitation, and extortion.

On installing Screencastify, it asks to access your Google Drive and makes a permanent Google OAuth access token for the company's account. The cloud folders created with the token, in which all the users video projects are saved, are allegedly let unhidden. 

Chrome's desktopCapture API and tabCapture permissions are also granted automatically when you install the software, meaning it