A software developer has gone public with a bug that allows malicious users to spy on Google (News - Alert) Chrome users via their built-in microphones on their computers.
Tal Ater, a software developer working on speech recognition technology uncovered the bug. Normally, when a site requests to use a computer’s microphone, Chrome asks the user to confirm. If the user navigates away from the site or otherwise exits the browser, the browser isn’t listening.
Most sites that use speech recognition use SSL to encrypt the connection, attempting to display an aura of security.
“This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again,” Ater wrote on his site. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can’t start listening to you in background windows that are hidden to you.”
A malicious website, on the other hand, can open up a pop-under window that will continue to log any sound in the vicinity of the user, including any conversations, without any obvious indication that the microphone is still turned on.
Ater originally contacted Google about the bug in September, but went public after months passed without Google releasing a fix closing the security hole.
“A month and a half later, I asked the team why the fix wasn’t released,” he wrote. “Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behavior - ‘Nothing is decided yet. ’As of today, almost four months after learning about this issue, Google is still waiting for the Standards group to agree on the best course of action, and your browser is still vulnerable.”
Ater also demonstrated how the bug worked in a video. Until Google issues a fix, it pays to be extremely wary about which sites Chrome users authorize to use their microphones.
Edited by Ryan Sartor
View all articles