Security bug lets malicious websites use Chrome browser to spy on you and Google won’t fix it, says coder


An Israeli coder named Tal Ater was working on speech recognition software when he found a security bug in Google’s Chrome browser. The bug allows those with malicious intent to exploit the way Chrome handles speech recognition, making the browser continue to listen in on you — using your computer’s microphone — even after you leave that particular page or website.

Normally, when a site wants access to a user’s microphone, a pop-up appears in Chrome asking for permission to use it. When granted, Chrome then displays a blinking red dot on that particular site’s tab. According to Ater, hackers could use specific code to open “pop-under” windows with the speech recognition enabled — basically turning Chrome into an eavesdropping device until the entire browser (or that particular process if found) is closed.

Ater says that Google was told about the bug all back in September of last year and found a fix for it in October. So why are we still talking about it? Apparently Google hasn’t rolled out the fix, even today. The company is reportedly waiting for the World Wide Web consortium (W3C) before making a decision. They also say that the speech recognition software is in W3C specifications, and believe that there is no immediate threat since users must first grant permission.

If you’d like to see Ater’s blogpost detailing the exploit, along with an accompanying video to demonstrate it, you can check out his post here.

[via Tal AterBBC, image via Grant]

Related Posts

  • Bub

    You don’t have to disable your mic. Just make a habit of not enabling your mic on any site you don’t completely trust. You must explicitly grant that permission to the site before it can leverage this quirk of Chrome. The issue is that once you have done so, it is possible for that site to continue leveraging that permission without your knowledge.

  • Tom

    Great. I’ve already disabled my built-in camera, now I have to go for the mic.

    Next we’ll discover the keyboard is bugged, and our loggers never detected it.

    Remember:”Spy versus Spy”? … Now think Google, NSA, Facebook, Microsoft, etc., etc….

  • Mr.Dave

    Is it just me, or does anyone else think this is intentional?

    At least I don’t normally have a mic on pc. Can’t imagine how bored someone would get if they tried to listen in!