14 DAY TRIAL // A while back, Google introduced what seemed to be a really cool feature – the ability to tell Chrome what to search for, just as you’d tell your Android phone. Now, however, it looks like this might be a big security vulnerability.
Malicious websites could use the computer microphone to eavesdrop on your private conversations, an expert said.
The Chrome feature works as follows – users can enable it by clicking on the microphone-like button on the search bar or utter the famous “OK Google” before launching a search. Chrome places a blinking red light in the tab and adds a camera icon in the address bar just so the user can easily spot the tabs that are listening in.
The feature can be exploited, however, and some sites could continue eavesdropping. Israeli developer Tal Ater demonstrated this in a video posted on YouTube. A site is given permission to access the microphone, which then continues to record everything. The audio is sent to Google for analysis before being sent to the site that made the request.
Once permission is granted, Chrome can start recording, especially when hearing key words that were programmed beforehand.
Ater alerted Google to the issue in September, choosing to tell it rather than just make everything public. Nearly two weeks later, Google said that a patch was ready and that his discovery was even eligible to a large reward from the bug bounty program.
When the patch was still missing in November, he asked again, only to be told that a decision had yet to be made on the issue.
Now that he’s gone public with the information, Google reacted. In a message sent to Ars Technica, Google said that the security of their users was a top priority. “We’re re-investigating and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.”
