14 DAY TRIAL // Israeli expert Guy Aharonovsky has identified a flaw in Google Chrome’s old speech recognition API that could be exploited to steal the transcript generated by the web browser when the feature is used. He has developed an online game to show how the issue can be leveraged.
The vulnerable API was introduced with Chrome 11. Google has released a newer API since, but Aharonovsky believes that there are several websites still using the old one.
So how can the vulnerability be exploited? An attacker can set up a website and place -x-webkit-speech feature on it. The speech widget is usually visible, but the attacker can make modifications to it.
For instance, it can be resized so that it’s activated regardless of where the user clicks. Furthermore, its opacity can be set so that it becomes invisible. The box which shows that the user is being recorded can be moved outside the screen so that the victim doesn’t see it.
All the attacker needs to do is lure the victim to his website and get them to click on the screen.
To demonstrate his findings, the expert has set up a website that appears to be a game. Potential victims are told to plant tree seeds and as the trees grow they can make wishes, which they must say into the computer’s microphone.
What victims don’t know is that everything they say while playing “the game” is actually being collected by the attacker. That’s because the speech recognition feature is activated each time they click on the screen.
“That is enough in order to listen to the user speech without any consent and without giving him any indication. The other bugs just make it easier but are not mandatory,” the expert explained in a blog post.
Aharonovsky has told IBTimes that Google has been notified, but no fix has been released so far. Google representatives have told IBTimes that the issue is being investigated, but the search engine giant’s security team has informed the expert that the bug is “low-severity” and they don’t view it as a top priority.
This isn’t the first time experts show how Google’s speech recognition features can be abused. Earlier this year, Israeli developer Tal Ater demonstrated that the feature that allowed users to perform Google searches by telling Chrome what they were looking for could be abused to spy on private conversations.
Check out the video demonstration published by Guy Aharonovsky. Additional details on the speech recognition API flaw are available on his blog.
