Description:
The proctoring system currently accepts any video input from getUserMedia() without verifying whether the source is a physical webcam. This allows users to bypass monitoring by using virtual cameras (e.g., OBS, ManyCam) that can stream pre-recorded or manipulated video feeds.
Steps to Reproduce:
Install and run a virtual camera software (e.g., OBS Studio with virtual camera enabled).
Start the proctoring system in the browser.
Grant camera permissions when prompted.
Select the virtual camera as the video input.
Observe that the system accepts the feed without any restriction.
Expected Behavior:
The system should detect and restrict the use of virtual cameras. Only legitimate physical webcam devices should be allowed for proctoring.
Actual Behavior:
The application accepts all video input sources without validation, including virtual cameras, making it possible to spoof live video feeds.
Possible Cause:
The application relies solely on getUserMedia() for camera access and does not validate device metadata such as camera labels or device characteristics to differentiate between real and virtual cameras.
Suggested Fix:
Implement detection of virtual cameras using device labels from navigator.mediaDevices.enumerateDevices().
Block or warn users if suspicious keywords are found (e.g., "obs", "virtual", "manycam", etc.).
Optionally:
Lock selected camera using deviceId to prevent switching during the session.
Add basic frame repetition checks to detect static or looped video feeds.
Environment:
OS: Windows
Browser: Chrome
Impact:
This vulnerability allows users to bypass proctoring safeguards using virtual camera feeds, compromising the integrity of the monitoring system. Implementing basic validation improves security with minimal overhead.
I would like to work on this issue and submit a PR if assigned.
Description:
The proctoring system currently accepts any video input from getUserMedia() without verifying whether the source is a physical webcam. This allows users to bypass monitoring by using virtual cameras (e.g., OBS, ManyCam) that can stream pre-recorded or manipulated video feeds.
Steps to Reproduce:
Install and run a virtual camera software (e.g., OBS Studio with virtual camera enabled).
Start the proctoring system in the browser.
Grant camera permissions when prompted.
Select the virtual camera as the video input.
Observe that the system accepts the feed without any restriction.
Expected Behavior:
The system should detect and restrict the use of virtual cameras. Only legitimate physical webcam devices should be allowed for proctoring.
Actual Behavior:
The application accepts all video input sources without validation, including virtual cameras, making it possible to spoof live video feeds.
Possible Cause:
The application relies solely on getUserMedia() for camera access and does not validate device metadata such as camera labels or device characteristics to differentiate between real and virtual cameras.
Suggested Fix:
Implement detection of virtual cameras using device labels from navigator.mediaDevices.enumerateDevices().
Block or warn users if suspicious keywords are found (e.g., "obs", "virtual", "manycam", etc.).
Optionally:
Lock selected camera using deviceId to prevent switching during the session.
Add basic frame repetition checks to detect static or looped video feeds.
Environment:
OS: Windows
Browser: Chrome
Impact:
This vulnerability allows users to bypass proctoring safeguards using virtual camera feeds, compromising the integrity of the monitoring system. Implementing basic validation improves security with minimal overhead.
I would like to work on this issue and submit a PR if assigned.