Chrome bugs allow websites to listen in on your conversations

Several security flaws in the popular Google Chrome browser can be exploited to turn the computer into a surreptitious listening device, claims Israeli developer Tal Ater.

As you may already know, Chrome was made to support voice input earlier this year, and there are already websites out there that offer speech recognition for interested users.

In order to do so, the website explicitly asks users permission to use their computer’s microphone. If they allow it, the fact that the site now has access to it is explicitly indicated in the browser (blinking red light). Finally, when they close the site, Chrome automatically stops listening.

But Ater points out that the functionality can be misused by malicious actors:

Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can’t start listening to you in background windows that are hidden to you.

When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.

To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that Speech Recognition is turned on in such windows – only in regular Chrome tabs.

Ater discovered that such an attack was possible last September, while working on a popular JavaScript Speech Recognition library. He shared his discovery with Google, and they confirmed the existence of the flaws and apparently prepared a fix less than two weeks later. In fact, it looked like Ater would even be rewarded with a monetary prize for pointing out the flaws.

But the fix was not released. When he asked what the holdup was, they answered that they are still debating with the W3C (World Wide Web Consortium) whether it should be released.

Four months later, the decision is still to be made, so Ater decided to reveal the existence of these flaws and to provide the source code for the exploit to the public, in the hope that this will prompt Google to finally do something about it.

Google has now responded by saying that “the feature is in compliance with the current W3C specification,” and that they continue to work on improvements. Unofficially, a source inside the company has said that they are working on making it more obvious to users when a site has access to the microphone.

The good news is any Chrome user can change the browser’s settings to prevent websites from spying on them in this way (Settings > Show advanced settings > Content Settings > select: Do not allow sites to access my camera and microphone).

Don't miss