Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Google dismisses eavesdropping threat in Chrome feature

Chrome can continue to access a computer's microphone after a person thinks a speech recognition feature is off, a web developer says

Article comments

Google said there's no threat from a speech recognition feature in its Chrome browser that a developer said could be used to listen in on users.

Web developer Tal Ater wrote he found the multiple bugs in Chrome while working on a JavaScript speech recognition software library he maintains, called "annyang."

He created an exploit that could allow a website to continue accessing a computer's microphone after a person thinks they've left a website. Some websites are enabled to use speech recognition, where the website has access to voice commands from a computer's microphone.

"It may seem I have shot myself in the foot by exposing this," Ater wrote. "But I have no doubt that by exposing this, we can ensure that these issues will be resolved soon."

Google acknowledged the problem and had a patch ready by Sept. 24, Ater wrote. The company nominated him for a reward for finding the vulnerabilities, he wrote. Google later decided the issue he found didn't qualify for a bug bounty reward.

But Google never pushed out an update to Chrome. In a statement, Google said it designed the speech recognition feature with security in mind and the feature is in compliance with W3C (World Wide Web Consortium) coding standards.

"We've reinvestigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it," it said.

Websites enabling the feature ask users for permission to use their microphone first, and Chrome indicates the microphone is active with a red dot in the browser tab.

But Ater found that Chrome remembers if a person granted permission to a site that uses HTTPS, a security feature that encrypts communication between a client and a server. It will allow sites using HTTPS to start listening in the future without asking for permission again.

Ater described a scenario where a website could be configured in a more malicious way to launch a "popunder" window, which is another browser window behind the main one.

If someone navigates off the main page, they may be unaware the popunder window is still active, recording their voice. The popunder window could also be disguised as an advertisement, concealing its true purpose.

"This can be done in a window that you never saw, never interacted with and probably didn't even know was there," Ater wrote.

The spying window could also be programmed to stay dormant until someone says certain, interesting keywords, according to a demonstration video on Ater's site.

The attack doesn't work if permission isn't granted to enable speech recognition.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *