25809 2014-05-19 18:20:59 +0000 Security issue: Abuse of "call me" URLs 2014-09-25 14:44:29 +0000 1 1 1 Unclassified WebRTC Working Group Media Capture and Streams unspecified PC All RESOLVED FIXED P2 normal --- 1 fluffy adam.bergkvist adam.bergkvist dom harald juberti public-media-capture stefan.lk.hakansson oldest_to_newest 106358 0 fluffy 2014-05-19 18:20:59 +0000 The security section should warn people about the risk of having a website that took URL like www.example.com?call=evil or www.example.com?call=+1900-PAY-FLUF. If the site automatically makes that call if example.com had permission, then an advertisement network can display an add that redirects you to this and the users camera will sending stuff and sending it to an attacker. 107502 1 harald 2014-06-09 07:43:38 +0000 Changing subject for better readability. 107559 2 juberti 2014-06-10 00:23:52 +0000 Agree, was thinking about this the other day. We will make changes to our sample apps to prevent this. 108669 3 adam.bergkvist 2014-07-03 05:26:00 +0000 The receivers of this info would be web developers, rather than implementers of the spec. Where do we put that kind of info 110700 4 dom 2014-08-28 09:38:07 +0000 Proposed fix: https://github.com/w3c/mediacapture-main/pull/9 I'm also suggesting more thorough protections against this type of abuse: http://lists.w3.org/Archives/Public/public-media-capture/2014Aug/0187.html 111588 5 stefan.lk.hakansson 2014-09-16 14:17:30 +0000 In the interest of making progress, I propose we add a note of that more feedback is wanted from webappsec on this. 111596 6 dom 2014-09-16 15:29:04 +0000 (In reply to Stefan Hakansson LK from comment #5) > In the interest of making progress, I propose we add a note of that more > feedback is wanted from webappsec on this. I've updated PR 9 to that effect. 112174 7 fluffy 2014-09-25 14:44:29 +0000 Merged dom's PR to fix this.