Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

be aware, at least in Chrome, once you give teachablemachine.withgoogle.com permission to use you camera, unless you revoke that permission is has permission to use your camera without further permission including from iframes. In other words every ad from and analytics from Google could start injecting camera access.

I wish chrome would give the option to only give permission "this time" and I wish it didn't allow camera access from cross domain iframes.



Are you serious? Do you realize that Chrome is also written by Google and they could theoretically already run arbitrary code on your computer? The potential reputation damage and legal risk for Google would be way too high pull off something like that.


If this happened, the Google Chrome tab would show a camera. Many webcams have adjacent LEDs that identify that they are activated.

Google could theoretically release compromised versions of Google Chrome and only use the permission on devices where webcam LEDs are unlikely (e.g. smartphones), but this is going deep into tin-foil-hat territory.


that's not helpful. the pictures would already be taken and uploaded to servers without my permission reguardless of whether or not I wanted my picture taken or what's visible (contracts, trade secrets, people in various states of undress) .

also this isn't about Google spying. it's about Chrome's bad camera permission model. any company can abuse it


But won’t it be on just that FQDN alone? Google analytics and ads are served from a totally different domain. What’s the actual concern here?


Google ads and analytics inject JavaScript which means they can insert iframes for any domain they want. If they injected <iframe src="https:// teachablemachine.withgoogle.com/spyonuserwithcamera" /> they'd be able to use your camera from the ad or analytics without asking for permission again.

Of course I'm not suggesting Google would actually do that but some other company might make seeamazingcamerameme.com to get users to turn on there camera for that domain and then after that make iframes for seeamazingcamerameme.com/spy


So you are contending we are secure via DNS?


That's one of these arguments that may attack the parent in isolation, but makes absolutely no sense in the context of the thread they were replying to.

Because if you assume an attacker to have control over DNS, the security model of giving permission on a per-domain basis is broken anyway, and the initial concern with granting google this access is already subsumed in your general paranoia.


No it isn’t. TLS helps ensure you aren’t talking to a rogue server and HSTS ensures you can be spoofed in the first http request to a new server.


Chrome does give you this option. It's called "incognito mode"


Good to know, but thankfully easy to remove permissions from the settings.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: