Chrome Eavesdropping Bug Discovered
According to Israeli coder Tal Ater, any computer running the Chrome browser can eavesdrop on conversations happening around it.
While working on his speech on recognition software, Ater found the eavesdropping bug. "Even while not using your computer - conversations, meetings and phone calls next to your computer may be recorded and compromised," wrote Ater in a blog post after finding the bug. Ater says the bug emerges when malicious sites try to sabotage the way Chrome handles speech recognition. Usually users must grant each page individual access to the computer's microphone to listen in. Once permission has been granted, Chrome lets users know via a blinking red dot on the tab for that specific site. Ater showed on his blog that a malicious attacker could input a specifically crafted code to exploit these permissions by launching a "pop-under" window that starts the speech recognition system. "The malicious site you visited can continue listening in on you long after you have left it," explained Ater. "As long as Chrome is still running nothing said next to your computer is private."
Google was told about this bug in September last year and found a way to fix it in October 2013. However, the fix has yet to be rolled out to Chrome. Google reassured users by saying that there is no immediate threat to users from the speech recognition system. "The security of our users is a top priority, and this feature was designed with security and privacy in mind," said a Google spokesperson. "We've re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it." According to Google, "The feature is in compliance with the current W3C specification, and we continue to work on improvements."
Photo credit: screengrab