According to The Register, a popular Chrome extension for collecting and sharing videos from websites was recently discovered to be vulnerable to a cross-site scripting (XSS) bug, allowing arbitrary websites to trick consumers into activating their cameras without their knowledge.
Malicious Websites Can Spy on Screencastify Users Due to Vulnerability
Wladimir Palant, a software developer and co-founder of ad amelioration biz Eyeo, wrote a blog post on Monday on how malicious people or websites who exploited Screencastify's vulnerability could turn on user's cameras without their permission, then download the video from the victim's Google Drive account.
He said he reported the XSS flaw to Screencastify on Feb. 14, which was corrected the next day.
However, Palant claims that the browser extension is still dangerous because the code trusts several partner subdomains. An XSS bug on any of those sites might be exploited to attack Screencastify users.
According to the Screencastify website on the Chrome Web Store, the browser extension has over 10 million users.
What Makes Screencastify's Flaw Dangerous?
The extension, as Palant points out, is directed at the education market, which opens up some unpleasant possibilities.
The Register highlighted that what's more alarming is that the extension code grants these privileges to several additional domains, including Webflow, Teachable, Atlassian, Netlify, Marketo, ZenDesk, and Pendo, all of which use Screencastify subdomains.
Furthermore, neither the Screencastify domain nor the subdomains assigned to partners have meaningful Content Security Policy protection, which is a method to mitigate XSS vulnerabilities.
How To Protect Yourself From Spying Employer
So Screencastify had an issue where someone could spy on its users without their consent. But did you know that "snooping" on someone is not that uncommon since the pandemic started?
Startup.info said that the COVID-19 outbreak ushered in a new era of remote work. Employees have reaped various benefits from adopting the work-from-home policy, but it also has certain cons. Workplaces' usage of monitoring software tools to spy on their staff is one of the major concerns for employees.
If your company needs you to install spyware software on your home computers to monitor your online activities and you find this intrusive, you can try using the methods below:
- You can just uninstall the programs that your employer insisted on installing.
- A good VPN can help you hide your location and make your online activities untraceable.
- While you are working from the office, your employer can monitor you. Your information is logged by the network, including the apps you use and the websites you visit. If you don't want your employer to track your movements, you can use 3G or 4G network services instead of connecting your devices to the corporate network.
- If your employer requires you to utilize tracking applications like Slack, Google Workspace, or Microsoft 365, and you have no choice but to use them, you can just opt to use your personal computer for non-work-related activities.
Related Article: A US College To Shut Down for Good Following a Ransomware Attack