A recently discovered vulnerability in the popular Google Chrome browser could allow a hacker to record audio or video from a device’s microphone or webcam without any indication to the user.

The flaw was first discovered by AOL developer Ran Bar-Zik, who found it was possible to activate the microphone and webcam without user prompting and turn the browser into a surveillance tool for an attacker.

Read: Alternatives To Google And Gmail: Private Search And Email Services Promise Online Anonymity

The vulnerability stems from an issue in WebRTC, a communication framework the Chrome browser supports to allow users to make use of real-time voice and video chats like Google Hangouts.

Typically, Chrome prompts the user when a website attempts to activate WebRTC to prevent the site from accessing the tools without permission. Chrome will also show a red dot on a tab when a recording is taking place.

Bar-Zik discovered a way to bypass some of Chrome’s attempts to alert users to the browser’s activity thanks to a flaw in the new HTML5 video and audio API (application program interface).

The developer created a script that would open a new tab after the user allowed WebRTC on a website. Once the framework is approved, the hidden tab created by the script would persist and record audio and video from the device without the red recording dot appearing on screen.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

Bar-Zik published proof-of-concept code for the attack and created a website to demonstrate the possibility a hacker could record a user through the browser. The site asks a visitor for permission to use WebRTC, then creates a pop-up that records 20 seconds of audio without giving any indication to the user.

Read: Google Removes Chrome Extensions From Web Store Citing Hidden Malware As Reason

In a real attack, Bar-Zik warned, an attacker could create a much more discreet method of recording that could capture audio and video for an extended period of time.

“It can use very small pop-under and submit the data anywhere and close it when the user is focusing on it. It can use the camera for [a] millisecond to get your picture. It can [in theory] use XSS to ride on legitimate sites and their permissions,” Bar-Zik said.

Bar-Zik disclosed the bug to Google on April 10, but the company has yet to take action to fix the vulnerability. The developer said his report was “not classified as a high urgent issue” by the browser developers.

“This isn't really a security vulnerability,” one person involved on Chromium, the open source platform behind Chrome, wrote. “For example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.”

The bug is not the first time Chrome has been accused of being an accessory of spying. It was previously reported the browser from Google was remotely updated with code that would allow the browser to listen to and record conversations without the user’s permission.