Did You Know?

Community Leader
Posts: 1,062
Registered: ‎06-12-2013

Chrome hack lets websites keep listening after you close the tab

Toying around with voice-recognition apps, developer Tal Ater noticed something strange. Because of a quirk in Chrome's microphone settings, any site enabled for voice-recognition could use a pop-up window to keep recording almost indefinitely, hidden in the background. In Ater's demonstration, he closes the tab and continues talking, only to reveal a pop-up behind the main Chrome window, transcribing everything he says. It's an unsettling thought: could a malicious site use Chrome to listen in on users' offline conversations?

The core of the problem is Chrome's microphone permissions policy. Once you've given an HTTPS-enabled site permission to use your microphone in Chrome, every instance of the site has permission, even windows that pop up unnoticed in the background. And since the code is running in a different window, it won't set off any of Chrome's recording icons. By all appearances, the site won't be accessing the computer at all. The only sure defense is to manually revoke the microphone permission, which most users would never think to do.

Ater first reported the bug to Google back in September, even coding up a proof-of-concept. The bug was nominated for a Chromium Reward, but while Google's engineers easily isolated the problem, their fix still hasn't made it to user desktops. Reached for comment, a Google spokesperson said, "we’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."

Beyond Chrome, there may be an even larger problem at work as the new class of apps require ever more invasive permissions. In-browser services like Hangouts are more convenient when users don't have to reauthorize the microphone for each session, but those blanket permissions can create a real privacy problem. And as the apps become more common, the privacy problem grows with them. For Ater, that's what makes the bug so serious. "Authorizing a site to use speech recognition will soon be as common as talking to Siri," he told The Verge. If you're worried about keeping control of your computer's microphone, that may be a troubling thought.


Source Article


Interesting video, despite the on screen indications she was still being recorded.

Community Leader

Please use plain text.
Posts: 3,156
Kudos: 1,600
Registered: ‎10-28-2012

Re: Chrome hack lets websites keep listening after you close the tab

Huge hole and a great reminder.  Thanks for sharing this!


New to the Community? Register now and start posting!

Helpful Webroot Links:

Download (PC)   Download (Best Buy Subscription)   Submit Trouble Ticket   Account Console   User Guides   

"If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!"
WSA-Complete (Beta Tester), Toshiba Satellite L305, Intel Pentium Dual CPU at 1.87 GHz, 3 GB RAM With Windows 7 (x86) (Yes its old.. but it still usually works! : )
Please use plain text.
Posts: 617
Topics: 17
Kudos: 229
Ideas: 0
Registered: ‎11-27-2013

Re: Chrome hack lets websites keep listening after you close the tab

Oh my Goodness..thank you for sharing this!

Mac / Maverick OS, IPad, PCs,Windows Vista, Windows 7 Pro.,& VM 8.1 R Pro.
Please use plain text.