Are you one of the legions of users using the Screencastify Chrome extension? It's a fantastic Chrome extension that allows you almost effortlessly to create screencasts for various purposes.
Unfortunately, the web extension also suffers from a critical security vulnerability that allows attackers to take control of a user's webcam and steal recorded videos.
Independent security researcher Wladimir Palant reported the cross-site scripting (XSS) vulnerability that made this possible, and it was reported on Valentine's Day of this year (February 14, 2022). The vendor that created the extension responded quickly to the reported flaw and issued a fix just days after the issue was reported to them.
While we applaud the rapid response, unfortunately, the fix didn't completely address the issue, which may still be possible. However, the threat from external attackers has been eliminated. Unfortunately, three months later, the lingering problems that could allow an unscrupulous insider to make the same kind of attack remain unaddressed.
That's problematic because Screencastify boasts more than ten million installations worldwide on the Chrome store. The total number of buildings may be significantly higher, but the site's counter only goes to ten million.
The extension's popularity exploded during the pandemic because it represented a quick and easy solution to a problem that only emerged when tens of millions worldwide started working from home.
Mr. Palant sums up the core issue like this:
"The problem was located in the error page displayed if you submitted a video to a challenge and were trying to submit another one. This error page is under a fixed address, so it can be opened directly rather than triggering the error condition."
In any case, if you use the extension, be aware of its risks. Unfortunately, there is no word from the vendor on whether or when another fix might come.
