Security bug lets malicious websites use Chrome browser to spy on you and Google won’t fix it, says coder


An Israeli coder named Tal Ater was working on speech recognition software when he found a security bug in Google’s Chrome browser. The bug allows those with malicious intent to exploit the way Chrome handles speech recognition, making the browser continue to listen in on you — using your computer’s microphone — even after you leave that particular page or website.

Normally, when a site wants access to a user’s microphone, a pop-up appears in Chrome asking for permission to use it. When granted, Chrome then displays a blinking red dot on that particular site’s tab. According to Ater, hackers could use specific code to open “pop-under” windows with the speech recognition enabled — basically turning Chrome into an eavesdropping device until the entire browser (or that particular process if found) is closed.

Ater says that Google was told about the bug all back in September of last year and found a fix for it in October. So why are we still talking about it? Apparently Google hasn’t rolled out the fix, even today. The company is reportedly waiting for the World Wide Web consortium (W3C) before making a decision. They also say that the speech recognition software is in W3C specifications, and believe that there is no immediate threat since users must first grant permission.

If you’d like to see Ater’s blogpost detailing the exploit, along with an accompanying video to demonstrate it, you can check out his post here.

[via Tal AterBBC, image via Grant]

Related Posts