Storm-Breaker is a browser-based surveillance toolkit designed to silently capture sensor data from visitors without their knowledge or consent. It combines device fingerprinting, network-based geolocation tracking, and WebRTC exploitation to access a remote device’s camera, microphone, and system information without triggering native permission prompts.
The toolkit achieves this by leveraging legacy browser APIs and network-based geolocation (IP, Wi-Fi) that do not require explicit user permission. It abuses WebRTC and media stream APIs to activate camera and microphone streams, while also collecting hardware and software details through stealth fingerprinting. All captured data is exfiltrated to a remote server via HTTP or WebSocket connections, orchestrated from a single-page web interface.
Storm-Breaker provides capabilities for webcam feed capture, microphone audio recording, device location tracking, and hardware/software reconnaissance, all operating outside standard consent workflows. The project is presented as a self-contained tool for exploring these browser API exploitations.
