Vulnerability in Screencastify allowed sites to spy on users through cameras


The popular Screencastify extension for Chrome, designed to capture and share videos from websites, contains a cross-site scripting (XSS) vulnerability that allows arbitrary sites to force users to unintentionally turn on their cameras. With the help of this vulnerability, attackers can download the received videos from the victims’ Google Drive.

The problem was discovered by developer Vladimir Palant, who reported his discovery to the manufacturer in February 2022. Although the vulnerability was fixed the very next day, according to Palant, the extension still poses a threat because the code trusts many partner subdomains, and the XSS vulnerability on any of them can potentially be used to attack Screencastify users.

“The extension provides there are enough privileges to record video through the user’s webcam and get the result. No user interaction is required, and there are practically no visible indicators of what is happening. You can even hide your tracks – you just need to delete the video from Google Drive and use another message to close the extension tab after recording is completed,” Palant explained.

It is noteworthy that the extension grants these privileges not only to Screencastify via , but also a number of other domains, including Webflow, Teachable, Atlassian, Netlify, Marketo, ZenDesk and Pendo through the Screencastify subdomains.

According to Palant, neither the domains nor the subdomains of Screencastify delegated to partners have an adequate content security policy.

The developer discovered the problem on February 14, 2022, and it was fixed on February 15. According to the message he received from the manufacturer, a long-term plan for the implementation of content security policies was also to be implemented, but as of May 23, the policies have not been implemented for any , neither for , except for the addition of framing protection.

The API studied by Palant was not limited and still issues Google OAuth tokens, with which you can access the victims’ Google Drive.

Start a discussion …