Michael Lazin via plug on 29 Jul 2021 07:33:42 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly off topic, possible privacy issues with JavaScript

Awesome, thanks!  I had honest worries when I saw this code in an environment, but I didn't know that permissions for the code were handled on the browser side, this makes perfect sense.  I appreciate the detailed answer. 

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

On Thu, Jul 29, 2021 at 2:19 PM Rich Freeman <r-plug@thefreemanclan.net> wrote:
On Thu, Jul 29, 2021 at 9:34 AM Michael Lazin via plug
<plug@lists.phillylinux.org> wrote:
> I cannot say where, but I came across code like this in a dangerous place in the wild:
> https://stackoverflow.com/questions/27846392/access-microphone-from-a-browser-_javascript_
> In my personal opinion, this built in function of _javascript_ raises
> privacy issues.  When you are using a mobile device, like Android or
> iPhone, there are fine grained permissions for apps that would prevent
> the listening of an application without your permission, but I have
> checked, and the _javascript_ standard has no protection to prevent any
> website from listening without your knowledge.  I was wondering what
> others might think of this even though it is off topic, and if anyone
> has an idea on how to report this.  _javascript_ has a long history of
> security issues, but this seems like a glaring privacy oversight.

All _javascript_ does is provide the API to the application to record
audio.  The security is built into the interpreter (which is typically
a browser).

If you tried to run this code on a website, most modern browsers would
display a popup that says that the site is attempting to record audio,
and give you the option to allow it.  Or something along those lines.
Most browsers are going to block it by default without an express
opt-in.  Some browsers might have a way to whitelist sites/etc, which
could be used in corporate deployments to avoid notices like this (if
you're using somebody else's computer, assume it is spying on you
unless you trust them not to).

I'm not sure what error handling/etc _javascript_ implements if the user
denies permissions, or if the application just gets silence.

I guess you could argue about whether these should be part of the
_javascript_ standard itself or not.  I don't have a lot of knowledge
about how that is typically done, as layering is a thing.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug