'Fixed' Chrome extension flaw could allow hackers to record both your webcam and desktop feeds

A creepy dude snapping pics through blinds.
(Image credit: D-Keine/Getty)

Ever get that feeling you're being watched? If you've currently got the Screencastify Chrome extension active, you could be. A flaw the company claimed was 'fixed' may still allow malicious actors to access unsuspecting users' webcam and desktop activity, and record it for whatever they see fit. 

You've probably seen these 'sextortion' emails: "We have a recording of you doing X, Y, Z. Send us $10,000 in some obscure cryptocurrency or we'll release the vid for all the world to see." 

With over 10,000,000 installs, Screencastify caters to a range of companies such as Webflow, Teachable, Atlassian, Netlifyrunning, Marketo, and ZenDesk. It's an extension that lets users record, edit and submit video content for work and school projects, so users include teachers, and schoolchildren at various stages of their education. I can only imagine the panic from parents when the vulnerability was discovered, and their potential fury knowing it still hasn't been properly fixed.

According to Bleeping Computer, a cross-site scripting (XSS) vulnerability in the Screencastify software was reported by security researcher Wladimir Palant on February 14, 2022. Devs behind the Chrome extension promptly sent out a supposed fix, but Palant has made it clear the app is still putting users in a vulnerable position for exploitation, and extortion.

On installing Screencastify, it asks to access your Google Drive and makes a permanent Google OAuth access token for the company's account. The cloud folders created with the token, in which all the users video projects are saved, are allegedly let unhidden. 

Chrome's desktopCapture API and tabCapture permissions are also granted automatically when you install the software, meaning it has the ability to record your desktop too.

On top of this, the software's WebRTC API permission is only requested once, meaning the capture functions are continuously enabled from the get go, unless you switch the setting to 'ask permission' each time. Even then, Palant found that hackers could not only steal the authentication token, but also use the Screencastify app to record without notifying the user at all.

Peak Storage

SATA, NVMe M.2, and PCIe SSDs on blue background

(Image credit: Future)

Best SSD for gaming: the best solid state drives around
Best PCIe 4.0 SSD for gaming: the next gen has landed
The best NVMe SSD: this slivers of SSD goodness
Best external hard drives: expand your horizons
Best external SSDs: plug in upgrades for gaming laptops and consoles

"Not much appears to have changed here, and I could verify that it is still possible to start a webcam recording without any visual clues," Palant explains in their research blog post.

"The problem was located in the error page displayed if you already submitted a video to a challenge and were trying to submit another one." And since the error page has a fixed address, "it can be opened directly rather than triggering the error condition."

Both Bleeping Computer and Palant have contacted Screencastify, but to no avail. 

Here's a quick glance over the Screencastify privacy policy:

"We use security and technology measures consistent with industry standards to try to protect your information and make sure that it is not lost, damaged or accessed by anyone who should not see it."

"Despite our security measures, we cannot guarantee the absolute security of your personal information."

Here's hoping the vulnerability is sorted properly, and soon, before rogue employees or hackers start making use of the exploit. Best to use a different platform for the time being, perhaps.

Katie Wickens
Hardware Writer

Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. Having been obsessed with computers and graphics for three long decades, she took Game Art and Design up to Masters level at uni, and has been rambling about games, tech and science—rather sarcastically—for four years since. She can be found admiring technological advancements, scrambling for scintillating Raspberry Pi projects, preaching cybersecurity awareness, sighing over semiconductors, and gawping at the latest GPU upgrades. Right now she's waiting patiently for her chance to upload her consciousness into the cloud.

Read more
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
A computer screen with program code warning of a detected malware script program. 3d illustration
Second Steam listing this year found hiding 'new and clever' malware. This time through a fake demo link on developer's website
Steam logo
A web3 free-to-play survival game found to be a front for installing malware on your PC has finally been removed from Steam
Team Fortress Spy being shocked
An FPS studio pulled its game from Steam after it got caught linking to malware disguised as a demo, but the dev insists it was actually the victim of a labyrinthine conspiracy
Two webcams pictured on a blue gradient background with a PC Gamer Recommended badge.
Best webcams in 2025: the 1080p and 4K webcams I recommend for gamers and streamers
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
Latest in Security
An FBI wanted poster for alleged hacker Zhou Shuai.
US Justice Dept announces $10 million bounty on at-large 'hacker-for-hire' cabal it says targeted China critics, religious missionaries, and the Treasury
Kinzie, in an FBI jacket, uses a computer with the logo of the Third Street Saints on it
Have I Been Pwned adds over 284 million compromised passwords from latest breach
A still from a YouTube video of Senator Mark Warner speaking
Telecoms hack on US government officials is 'worst in nations history' and 'the barn door is still wide open' says senator
HDMI cable
Hackers can wirelessly spy on your display by collecting HDMI signal leaks and churning them through an AI, but I wouldn't break out the tin foil just yet
Computer code and text displayed on computer screens. Photographer: Chris Ratcliffe/Bloomberg
Forcing users to periodically change their passwords should go the way of the dodo according to the US government
An original Apple Macintosh Model M0001, as they celebrate 40th anniversary, is on display in between 2024 Apple models at the independent Apple products store chain Amac, on January 24, 2024 in Utrecht, The Netherlands. Based on the Motorola 68000 microprocessor, the Macintosh was the first successful mouse-driven computer with a graphical user interface.
Major browser providers scramble to patch an 18-year-old vulnerability affecting MacOS and Linux systems but Windows remains gloriously immune
Latest in News
A long bendy arm stealing money from people in a subway car
'You're a very long arm. You steal things. It's a comedy game,' explains developer of comedy game where you steal things with a very long arm
The heroes are attacked by monsters
Pillars of Eternity is getting turn-based combat to mark its 10th anniversary, and that means PC Gamer editors will soon be arguing about combat mechanics again
Image of Ronaldo from Fatal Fury: City of the Wolves trailer
It doesn't really make sense that soccer star Ronaldo is now a Fatal Fury character, but if you follow the money you can see how it happened
Junah beginning a battle in Metaphor: ReFantazio.
Today's RPG fans are 'very sensitive to feeling like they wasted time' when they die, says Metaphor: ReFantazio battle planner—but Atlus still made combat hard anyway
Image of Cersei Lanniser from Game of Thrones: Kingsroad Steam early access trailer
A new Game of Thrones RPG is coming to Steam today with a cast of 'familiar faces,' which is good because it's really the only way to tell it's a GoT game at all
The new Prime Asset featured in the upcoming update for the Outlast Trials.
The Outlast Trials puts its already paranoid players under surveillance for a time-limited story event