Internet users who have activated the microphone seen on Google's homepage beware. Don't talk about business secrets. Don't talk about terrorism. Don't talk about an affair. Don't talk about your mother-in-law. Hush. Google Chrome might be secretly listening everything that you're saying.
A bug on the popular browser allows Chrome to listen to people who might have forgotten that they have activated their system's microphone when they visited an "htttps" website. The permission policy of Chrome is partly to blame as once users give a website permission to access the microphone, all of the website's instances, including pop-ups or pop-unders, are essentially granted permission. A user is essentially clueless that the mic is still working unless the permission is manually revoked.
The problem with Chrome was discovered by developer Tal Ater while toying with some voice-recognition applications.
"A user visits a site, that uses speech recognition to offer some cool new functionality. The site asks the user for permission to use his mic, the user accepts, and can now control the site with his voice. Chrome shows a clear indication in the browser that speech recognition is on, and once the user turns it off, or leaves that site, Chrome stops listening. So far, so good," explained Ater.
"Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesn't mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can't start listening to you in background windows that are hidden to you," he added.
Once a user clicks the stop button but not leave the site or close other instances of it, the trouble begins. Chrome can then be used by malicious entities to eavesdrop on private conversations. Ater even demonstrated how one can easily set it up to wait for certain keywords before recording anything.
The policy of Google Chrome with regard to granting microphone and camera access is partly to blame as it clearly states how it remembers choices made in HTTPS sites, just how Ater related his experience.
Ater reported the bug to Google on Sept. 13, Google came up with a fix on Sep. 24. Ater's find was also nominated for the Chromium's Reward Panel where such find can earn as much as $30,000 in prizes. However, Ater was dumbfounded why the fix was not rolled out to the public.
The developer contacted Google to inquire but Google just said that decision makers were still discussing it. As of reporting, the patch has not been released.
"The security of our users is a top priority, and this feature was designed with security and privacy in mind. We've re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements," a Google spokesperson said in a statement.
So, before Chrome gets you into trouble, don't forget to revoke that microphone permission.
See the exploit demo below: