*** This bug is a security vulnerability *** Public security bug reported:
The plain web browser can access the microphone when you deny the permission to access camera and microphone. Tested / discovered with bq Aquaris E5 Ubuntu Edition, OTA-9.1 (vegeta, latest stable as of today). How to Reproduce ---------------- 1.) Go to e.g. https://appear.in/test-drive on your Ubuntu phone (default web browser app) 2.) When prompted for "Allow this domain access the camera and microphone" choose "No" 3.) Click away the chat window (touch the down-arrow at right lower corner) 4.) Touch the screen to dismiss the "help text" ("Video off" is shown prominently) 5.) Touch the screen again to show the video controls, touch on the "microphone" icon; "Audio only" is shown on the screen 6.) Log in to the same URL from a PC (or another phone) to verify audio works Other Details ------------- Discussion on the mailing list: https://lists.launchpad.net/ubuntu-phone/msg18659.html ** Affects: webbrowser-app (Ubuntu) Importance: Undecided Status: New ** Tags: audio permissions video ** Information type changed from Private Security to Public ** Summary changed: - Access to camera is allowed even when user denies access to "video and microphone" + Access to microphone is allowed even when user denies access to "video and microphone" ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553482 Title: Access to microphone is allowed even when user denies access to "video and microphone" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1553482/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
