Bugs in Google Chrome may make it possible for malicious websites to eavesdrop on users through their computers’ microphones, an independent coder has claimed.
According to Tal Ater, some malicious websites with speech recognition features fail to turn off the speech recognition function when a user leaves the website, and the microphone connection stays open giving audio access to conversations taking place near the computer.
Ater said the risk occurs when a user visits a site through Chrome and gives access to their microphone to take advantage of a speech recognition feature. However, Chrome only shows that speech recognition is turned on for Chrome tabs.
He explains many malicious website launch pop-up windows which are often unnoticed by the user, and may remain active after the user leaves the main website.
This is when the microphone remains active, and Chrome makes no indication that speech recognition functions are still in use.
Ater claims he found the bugs in September 2013, and immediately informed Google in private.
“Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than two weeks from my initial report,” said Ater.
“But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour – “Nothing is decided yet”.”
Ater claims the bugs have still not been dealt with, leaving users’ computers vulnerable.
“As the maintainer of a popular speech recognition library, it may seem that I shot myself in the foot by exposing this. But I have no doubt that by exposing this, we can ensure that these issues will be resolved soon, and we can all go back to feeling very silly talking to our computers,” he said.
Image courtesy of Shutterstock.