Introduction

As part of my Ethical Hacking Assignment, I developed a security proof-of-concept (PoC) to demonstrate how easily hardware permissions can be manipulated through social engineering. This project highlights a critical security gap: while modern browsers provide permission prompts, users can often be tricked into granting access under false pretenses through well-designed interfaces.

The Technical Process

To demonstrate this vulnerability, I divided the project into two distinct phases:

1. Social Engineering & Stealth Capture

I designed a professional landing page using HTML, JavaScript and CSS that establishes trust with the user. The page includes my student credentials to appear as a legitimate university project.

  • The Hook: A button labeled "Unlock Files & View Portfolio" triggers the camera request, masking the true intent.
  • The Stealth Mechanism: Once the user clicks "Allow," the navigator.mediaDevices.getUserMedia API activates the webcam.
  • Invisible Stream: The video element is hidden from the UI, meaning the user is recorded without seeing a preview of themselves on the screen.

2. Phase 1: Local Data Persistence

Using the MediaRecorder API, the application captures a 7-second video clip. Once the recording stops, the data is processed as a Blob and automatically downloaded to the local machine as a .webm file. This fulfilled the requirement for local data storage and proof of capture.

3. Phase 2: Live Cloud Deployment

The project was successfully hosted on Netlify, a cloud platform, to simulate a real-world web attack scenario. This live deployment demonstrates that the vulnerability is accessible via a public URL and is not limited to a local environment.

Security Implications

This demonstration serves as a vital lesson in digital privacy:

  • Permission Fatigue: Users often click "Allow" without reading the context, especially if the website looks trustworthy.
  • Hardware Control: A single permission click can give a malicious site total control over hardware sensors like webcams and microphones.
  • Countermeasures: Always verify the source of a request, use physical webcam covers, and pay attention to browser indicators that show when a camera is active.

Conclusion

Ethical hacking is about understanding vulnerabilities to build better defenses. By showcasing this "Stealth Access" PoC, I hope to raise awareness about how social engineering remains a significant link in cybersecurity threats.

Author: Zainab Noor