{
"title": "Chrome 150 Update Closes Loophole That Could Allow Unauthorized Webcam Access",
"content": "Google released a stable channel update for Chrome on June 30 that patches a low-severity vulnerability in the browser’s GetUserMedia API. The flaw, tracked as CVE-2026-14039, could have allowed a remote attacker to bypass the browser’s same-origin policy, potentially gaining access to a user’s camera or microphone without proper consent. The update, Chrome 150.0.7871.47 for Windows, Mac, and Linux, is rolling out gradually over the coming days.
What the Vulnerability Actually Does
At its core, CVE-2026-14039 manipulates how Chrome handles camera and microphone permission prompts when multiple origins are involved. Websites use the GetUserMedia API to request access to your webcam or mic—Google Meet asks for it when you join a call, for example. Once you grant permission for a specific site (say, meet.google.com), the browser remembers that choice so future visits won’t need to ask again. That trust is bound to the site’s origin under the same-origin policy, a foundational web security principle that restricts how scripts from one origin interact with resources from another.
Google’s security advisory explains that the bug broke this barrier in a specific scenario. An attacker could craft a malicious webpage that embeds a legitimate site inside a hidden iframe. When a user visits the attacker’s page and performs a simple action—like clicking a button or tapping a link—the embedded iframe could silently trigger a GetUserMedia request. Because of the flaw, the permission dialog that appeared would show the trusted origin (the iframe’s source) rather than the top-level attacker’s domain. A user who thought they were allowing “meet.google.com” to use their camera might unwittingly be granting that access to the attacker’s site instead.
Google rated the vulnerability as “low” severity. Exploitation required user interaction—the victim had to click or tap—and the attacker could not execute arbitrary code or access the camera without first luring the user to a controlled webpage. There are no signs that the flaw was ever exploited in the wild, and the attack scenario remains relatively complex compared to drive-by download exploits. “We’ve seen no evidence of active exploitation, but users should update promptly,” a Google spokesperson said in the release notes.
Who’s Affected and Who Needs to Worry
The bug affects all Chrome desktop versions prior to 150.0.7871.47, as well as any Chromium-based browser that has not yet incorporated the upstream fix. That includes Microsoft Edge, Brave, Opera, and others that rely on the Chromium engine. Mobile versions of Chrome (Android and iOS) were not listed in the advisory, but because they share the same WebRTC and media stack, similar patches usually follow closely. Google’s extended stable channel for enterprises also received the fix, which means organizations running older Chrome for legacy app compatibility are covered.
For everyday users, the risk is minimal. You’d have to visit a malicious site, click through a permission prompt that displays the wrong origin, and be unaware that something was amiss. But given how often we grant camera access without a second thought—looking at you, all those random “virtual background” test sites—the flaw serves as a reminder that web permissions aren’t foolproof. For business and IT administrators, the concern is slightly higher: an attacker who successfully weaponized the bug could potentially capture sensitive video conferences or eavesdrop on calls if employees were tricked. However, corporate security training that warns against clicking unfamiliar prompts would likely thwart most attempts.
Developers who build web apps that rely on GetUserMedia don’t need to change any code. The fix is entirely within the browser, not in the JavaScript API surface. Nonetheless, Google recommends that developers who integrate camera feeds double-check that their permission requests use clear, user-visible UI, and that they’re not embedding third-party content in ways that could be exploited in future vulnerabilities.
The Fix: Chrome 150.0.7871.47 and How It Arrives
As with most Chrome security updates, the patch was rolled out silently via the browser’s auto-update mechanism. If you’re on a stable version of Chrome, it should update itself within a few days of release. You can manually trigger the update by going to chrome://settings/help (or Help > About Google Chrome from the menu). The patched version number is 150.0.7871.47 for all desktop platforms.
Google typically throttles new releases to a small percentage of users at first and gradually expands the rollout to watch for stability issues. By July 1, most desktop installations should have the update. The extended stable channel, often used by enterprises, received build 150.0.7871.48, which includes the same security fix along with a few additional enterprise-specific improvements.
Chromium-based browsers like Edge are expected to release their own patches within a week. Microsoft’s Edge Stable channel, for example, typically merges Chromium security fixes in its next release cycle. Users of such browsers should check their respective update mechanisms.
| Browser | Affected Versions | Fixed Version |
|---|---|---|
| Google Chrome (Stable) | < 150.0.7871.47 | 150.0.7871.47 |
| Google Chrome (Extended Stable) | < 150.0.7871.48 | 150.0.7871.48 |
| Microsoft Edge | Based on Chromium < 150 | Pending, expected within a week |
| Brave / Opera | Based on Chromium < 150 | Pending, expected within a week |
A Brief History of Camera Permission Security
The GetUserMedia API first appeared in Chrome in 2012 as part of WebRTC, ushering in an era of browser-based video calls without plugins. Over time, its security model matured: browsers switched from granting permanent global permissions to per-origin, revocable permissions. Chrome also added a requirement that GetUserMedia can only be called from secure contexts (HTTPS), and it enforces that the API be invoked after a user gesture to reduce drive-by access.
Despite these protections, same-origin policy bypasses in media APIs have surfaced before. In 2021, a developer reported a bug where a script could enumerate camera devices across origins, leaking hardware information (CVE-2021-30626). Google fixed that quickly. A more critical flaw in 2023 (CVE-2023-1819) allowed a compromised renderer to escape the sandbox and directly access the webcam stream, though that required additional vulnerabilities to chain. The current CVE-2026-14039 is significantly less severe—it cannot escape the sandbox, and it relies wholly on social engineering.
The longevity of these bugs underscores how difficult it is to balance web standards that demand feature-rich APIs with iron-clad security. As video conferencing and AI-driven media processing become default browser features, the attack surface grows. Google’s bug bounty program rewards researchers for finding such quirks, and CVE-2026-14039 was reported internally, earning no public bounty but prompting a quick turnaround.
Immediate Steps You Should Take
- Update Chrome: The most critical step. Type
chrome://settings/helpin the address bar and let the browser check for updates. Once updated to 150.0.7871.47 or later, you’re protected. - Review camera and microphone permissions: Go to
chrome://settings/content/cameraandchrome://settings/content/microphone. Remove any sites you don’t recognize or no longer use. This is a good hygiene practice,