The popular Screencastify Chrome extension for capturing and sharing videos from websites contains a cross-site scripting (XSS) vulnerability that could allow arbitrary websites to force users to unintentionally turn on their cameras.
Using this vulnerability, attackers can download received videos from victims’ Google Drive.Let me remind you that we also wrote that Because of vulnerabilities in Android, malware can control the user’s camera, and that Chrome will stop using all the RAM on PCs and smartphones.
The problem was discovered by the developer Vladimir Palant, who reported his discovery to the manufacturer in February 2022. While the vulnerability was fixed the next day, Palant said the extension still poses a threat because the code trusts multiple partner subdomains, and an XSS vulnerability on any of them could potentially be used to attack Screencastify users.
Notably, the extension provides these privileges not only to Screencastify via app.screencastify.com, but also to a number of other domains, including Webflow, Teachable, Atlassian, Netlify, Marketo, ZenDesk, and Pendo via Screencastify subdomains.
According to Palant, neither the domains nor subdomains of Screencastify delegated to partners have an adequate content security policy.
The developer discovered the problem on February 14, 2022, and on February 15 it was fixed. According to the message he received from the manufacturer, a long-term plan on content security policies also had to be implemented, but as of May 23, the policies have not been changed for either app.screencastify.com or www.screencastify.com, with the exception of adding framing protection.
The API studied by Palant was not restricted and still issues Google OAuth tokens, which can be used to access victims’ Google Drive.
