– Google Chrome Bug Lets Websites Listen to Your Conversations (IBT, Jan 23, 2014):
A bug in Google’s Chrome web browser enables malicious websites to activate your microphone and spy on conversations that happen next to your computer, even after you’ve left the website.
The internet giant seems dismissive of the problem, however.
In a statement, Google said: “We’ve reinvestigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it.”
In a video he filmed with a voice-over artist, Ater shows how websites that legitimately turn on your microphone to enable speech recognition, can continue to record and listen in on conversations in the background even after you have left the website.
His video shows that every word of the script the voice-over artist was reading aloud has been recorded by Chrome’s speech recognition feature, even after the website has been closed.
According to the video, the information captured from the conversation is then sent to Google’s servers, analysed and then sent back to the website which was originally authorised by the user to record the conversation.
Once the information is in the hands of the website, anything can happen to it, and Chrome’s speech recognition feature can pick up anything said within earshot of the computer once it is switched on and has Chrome running.
The malicious website could hide information being recorded beneath a banner ad, Ater suggests.
The Chrome bug also enables attackers to programme the speech recognition feature to stay dormant, and only start recording conversations if the user says certain keywords near the computer.
According to Ater, he reported the bug to Google’s security team in September 2013. Google’s engineers patched the bug just two weeks later and Ater was nominated for Chromium’s Reward Panel, where cash prizes of up to $30,000 (£18,108, €22,000) are given out to people who spot errors in the Chrome browser.
However, although Google’s engineers have completed the fix, it has not been released to the public as Google is still waiting on its standards group to decide on the best course of action for the speech recognition feature’s “behaviour”.
So after waiting for four months for Google to fix the problem, Ater decided to go public with his findings.
“My work has allowed me the insight to find multiple bugs in Chrome, and to come up with this exploit which combines all of them together,” writes Ater on his blog.
“As the maintainer of a popular speech recognition library, it may seem that I shot myself in the foot by exposing this. But I have no doubt that by exposing this, we can ensure that these issues will be resolved soon.”
He also points out that the web’s official standards body, the W3C, has already defined the correct behaviour that would have prevented this bug, the Web Speech API, back in October 2012.