Martin Cracauer via plug on 29 Jul 2021 07:53:42 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly off topic, possible privacy issues with JavaScript


Well, either way, the microphone should have a LED like the camera
does.  That would be an improvement.

And the LED should be in-line with the power circuit for the camera or
microphone, so that it is physically impossible to activate without
the LED turning on.  Right now it is a software-controlled LED, so as
soon as you are root you can watch/listen while keeping the LED off.

I'm not sure how that mixes with always-on microphones for today's
smartphone services ("OK Google" etc), but I would like to have an
option to turn that off in the first place.

Permissions for apps or websites are nice, but domain names and apps
get sold to bad actors, and that is not rare.  They can re-use
permissions given to the original good actor.  LED or nuffing.

/rant

Martin

Michael Lazin via plug wrote on Thu, Jul 29, 2021 at 02:32:57PM +0000: 
> Awesome, thanks!  I had honest worries when I saw this code in an
> environment, but I didn't know that permissions for the code were handled
> on the browser side, this makes perfect sense.  I appreciate the detailed
> answer.
> 
> Michael Lazin
> 
> .. ????? ??????? ?????????? ??????????? ??????????? ???? ??????? ???????????.
> 
> 
> On Thu, Jul 29, 2021 at 2:19 PM Rich Freeman <r-plug@thefreemanclan.net>
> wrote:
> 
> > On Thu, Jul 29, 2021 at 9:34 AM Michael Lazin via plug
> > <plug@lists.phillylinux.org> wrote:
> > >
> > > I cannot say where, but I came across code like this in a dangerous
> > place in the wild:
> > >
> > >
> > https://stackoverflow.com/questions/27846392/access-microphone-from-a-browser-javascript
> > >
> > > In my personal opinion, this built in function of JavaScript raises
> > > privacy issues.  When you are using a mobile device, like Android or
> > > iPhone, there are fine grained permissions for apps that would prevent
> > > the listening of an application without your permission, but I have
> > > checked, and the JavaScript standard has no protection to prevent any
> > > website from listening without your knowledge.  I was wondering what
> > > others might think of this even though it is off topic, and if anyone
> > > has an idea on how to report this.  JavaScript has a long history of
> > > security issues, but this seems like a glaring privacy oversight.
> >
> > All Javascript does is provide the API to the application to record
> > audio.  The security is built into the interpreter (which is typically
> > a browser).
> >
> > If you tried to run this code on a website, most modern browsers would
> > display a popup that says that the site is attempting to record audio,
> > and give you the option to allow it.  Or something along those lines.
> > Most browsers are going to block it by default without an express
> > opt-in.  Some browsers might have a way to whitelist sites/etc, which
> > could be used in corporate deployments to avoid notices like this (if
> > you're using somebody else's computer, assume it is spying on you
> > unless you trust them not to).
> >
> > I'm not sure what error handling/etc Javascript implements if the user
> > denies permissions, or if the application just gets silence.
> >
> > I guess you could argue about whether these should be part of the
> > Javascript standard itself or not.  I don't have a lot of knowledge
> > about how that is typically done, as layering is a thing.
> >
> > --
> > Rich
> >

> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


-- 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Martin Cracauer <cracauer@cons.org>   http://www.cons.org/cracauer/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug