January 24, 2014
Chrome Lets Malicious Sites Eavesdrop On Your Conversations
Computers running Google’s Chrome browser are vulnerable to attacks that let malicious websites activate the microphone and listen in on nearby conversations for extended periods of time, even after the user has left the website.
The exploit was revealed by Israeli web developer Tal Ater, who discovered the vulnerability while working on his own speech recognition software.
“Even while not using your computer - conversations, meetings and phone calls next to your computer may be recorded and compromised,” Ater wrote in a blog post describing his discovery.
The vulnerability emerges when malicious websites attempt to subvert the way Chrome handles speech recognition, he said.
Typically, Chrome users must manually grant permission to each website that requests access their computer's microphone. Once permission has been granted, Chrome alerts the user that a site is listening in by displaying a blinking red dot on the tab for that website.
“A user visits a site that uses speech recognition to offer some cool new functionality. The site asks the user for permission to use his mic, the user accepts, and can now control the site with his voice,” Ater explained.
“Chrome shows a clear indication in the browser that speech recognition is on, and once the user turns it off, or leaves that site, Chrome stops listening. So far, so good,” he said. However, in a video demonstration accompanying his blog post, Ater showed how a website could use malicious code to exploit permissions to access a microphone to launch a "pop-under" window that initiates the speech recognition system. This pop-under window can continue recording, or even generate a new recording session, if Chrome has been told to trust the recognition functionality.
“Google Chrome is listening,” Ater said in the video demonstration.
“In this hidden “pop-under” window everything I said was captured, sent back to Google, analyzed, and then sent back to the malicious site where it could have been saved or sent on to any observer in the world.”
“In fact, it can even be programmed to stay dormant and only start recording once you’ve said certain interesting keywords,” Ater said. "What you see here essentially turns Google Chrome into an espionage tool that compromises your privacy in your office or your home even when you're not using the computer."
"The malicious site you visited can continue listening in on you long after you have left it," said Ater. "As long as Chrome is still running nothing said next to your computer is private."
Ater said that Google was notified of the bug last September, and quickly found a way to fix it, although that fix has not yet been included in any updates.
“I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel,” Ater said.
“But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behavior – ‘Nothing is decided yet.’”
Google issued a statement this week about the exploit, saying it did not see the matter as an immediate threat.
"The security of our users is a top priority, and this feature was designed with security and privacy in mind. We've re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."
But Ater noted that a malicious website could simply pretend to be legitimate, persuade someone to grant access to the microphone, and then keep it running in the background even after the website is closed.
For now, Chrome users should carefully consider any website's request for microphone access, and not rely solely upon icons that indicate sounds are being captured. To be sure no one is listening in, Chrome users can select Settings from their main menu, then "Show Advanced Settings,” then “Content Settings,” and then scroll down and select "Do not allow sites to access my camera and microphone."