Introduction

We've all seen the pop-up: "This website wants to use your camera." Most of us click "Allow" without thinking twice. But have you ever wondered what happens after you grant that permission? Can a site you visited weeks ago start recording you without your knowledge?

As part of our Information Security coursework, we built a simple web page that answers these questions — safely and ethically. The page automatically activates the webcam when opened, records a short video, and stores it locally and (with explicit consent) in the cloud. The goal is not to trick anyone, but to raise awareness about how browser permissions work and why we should be more careful.

The Scary Truth About Camera Permissions

Imagine visiting a website to use a simple calculator. You click a few buttons, do your math, and leave. Simple, right?

But what if, unknown to you, that website had already activated your webcam, recorded five seconds of footage, and quietly uploaded it to someone's cloud storage?

This is not science fiction. This is a real attack vector that exists today, and most internet users have no idea it's possible.

What Our Project Does

Our web page looks like a normal landing page, it even includes a calculator to make it look like a simple tool. But behind the scenes, it does three things:

  1. Requests camera access as soon as the page loads
  2. Records a five-second video silently after permission is given
  3. Saves the video in two ways:
  • First, it stores the video in the browser's local storage, a kind of digital "notebook" that websites can use
  • Second, if the user chooses to log in with Google, it uploads the video to their own Google Drive

After the recording finishes, a clear warning message appears explaining exactly what happened and why it matters. Nothing is hidden. Everything is transparent.

How Does This Actually Happen?

Modern browsers give websites access to your camera through a Web API called getUserMedia. When used ethically, this powers video calls, QR scanners, and photo apps. But when misused, it can be weaponized.

Here's the attack chain in simple terms: Step 1: You visit a site and grant camera permission Maybe it was a legitimate video call site. You clicked "Allow." Step 2: Your browser remembers that permission Browsers store permissions per domain. Once granted, the site doesn't need to ask again. Step 3: You revisit (or a similar site tricks you) A malicious site activates your camera silently on page load — no popup, no warning. Step 4: You're recorded without knowing The footage is saved locally or uploaded to an attacker's cloud storage in seconds.

The Permission Persistence Problem

This is the most overlooked part. Most people think clicking "Allow" once is harmless. But browsers remember that choice indefinitely unless you manually revoke it.

This means:

  • A site you trusted six months ago still has camera access today
  • If that site gets hacked or goes malicious, your camera is accessible
  • Deceptive sites can mimic legitimate ones to exploit this trust

Real Warning Signs You're Being Watched

Watch out for these red flags when visiting any website:

Warning Sign What It Means Camera LED turns on unexpectedly A script activated your camera Browser shows camera icon in address bar Active camera permission in use Site asks for camera with no obvious reason Potential misuse Page loads slowly after camera permission Possible recording/upload in background

Important: On any modern laptop, the camera LED is hardwired to the power supply, it cannot be turned off by software. If you see that light on when you're not using a video app, close the tab immediately.

How To Protect Yourself

1. Audit Your Camera Permissions

Chrome: Settings → Privacy & Security → Site Settings → Camera Firefox: Settings → Privacy & Security → Permissions → Camera Safari: Settings → Websites → Camera Go through every site listed and ask, do I still trust this? If not, revoke it immediately.

2. Use a Physical Camera Cover

A simple webcam sticker or shutter cover costs almost nothing and provides absolute protection.

3. Watch Your Camera LED

Your camera LED should never turn on unless you're actively using a camera app. If it activates unexpectedly, disconnect from the internet immediately and run a security scan.

4. Keep Browser Permissions Minimal

Follow the principle of least privilege, only grant camera access to sites that genuinely need it (video call platforms, etc.) and revoke it immediately after.

5. Keep Your Browser Updated

Browser security teams constantly patch permission-related vulnerabilities. An outdated browser is an open door for attackers.

What We Learned Building This Demo

Building this project taught us several valuable lessons:

  • Browser APIs are powerful but safe they require user permission at every step, but that permission is easy to misuse
  • User awareness is the weakest link many people click "Allow" without reading the prompt
  • Cloud integration is easier than it looks using Google's developer tools to add Drive uploads was surprisingly straightforward once we understood the setup
  • Once permission is granted, a page can activate the camera silently on load with no further user interaction required
  • Recorded data can be stored locally or sent to cloud storage in seconds users have almost no visual indication this is happening unless they know what to look for
  • Security is a shared responsibility developers must design with privacy in mind, and users must stay informed

The goal of our demo was never to exploit anyone, it was to make this threat visible so people can defend against it.

Why This Matters

We live in a world where our devices have cameras, microphones, and location sensors. These are powerful tools — but they are also powerful attack surfaces. Cybersecurity is not just for IT professionals. Every person who uses the internet needs to understand basic digital hygiene, just like we understand to lock our doors at night. The question is not "can this happen to me?" The question is "am I making it easy for it to happen?"

Quick Action Checklist

Before you close this article, do these three things:

  • Open your browser camera permissions and audit every site
  • Cover your webcam when not in use
  • Share this article with someone who doesn't know about this risk

A Note on Ethics

This project is for educational use only. It was built as part of a university assignment to help students and others understand browser security. The code includes prominent warnings, and it should never be used on anyone without their explicit consent.

Unauthorised access to someone's camera is illegal and a serious violation of privacy under Pakistan's PECA 2016, GDPR (EU), and many other laws worldwide.

Final Thoughts

The next time a website asks for camera access, pause for a moment. Ask yourself: Do I really need to use my camera here? Can I trust this site? And always keep an eye on that tiny LED next to your webcam, it's there to protect you. Building this project was a fascinating journey into the world of browser security. We hope this article encourages you to think more critically about the permissions you grant online , and to appreciate the built-in safeguards that modern browsers provide.