Showing results for 
Search instead for 
Did you mean: 

Chrome hack lets websites keep listening after you close the tab

Silver VIP

Chrome hack lets websites keep listening after you close the tab

Toying around with voice-recognition apps, developer Tal Ater noticed something strange. Because of a quirk in Chrome's microphone settings, any site enabled for voice-recognition could use a pop-up window to keep recording almost indefinitely, hidden in the background. In Ater's demonstration, he closes the tab and continues talking, only to reveal a pop-up behind the main Chrome window, transcribing everything he says. It's an unsettling thought: could a malicious site use Chrome to listen in on users' offline conversations?

The core of the problem is Chrome's microphone permissions policy. Once you've given an HTTPS-enabled site permission to use your microphone in Chrome, every instance of the site has permission, even windows that pop up unnoticed in the background. And since the code is running in a different window, it won't set off any of Chrome's recording icons. By all appearances, the site won't be accessing the computer at all. The only sure defense is to manually revoke the microphone permission, which most users would never think to do.

Ater first reported the bug to Google back in September, even coding up a proof-of-concept. The bug was nominated for a Chromium Reward, but while Google's engineers easily isolated the problem, their fix still hasn't made it to user desktops. Reached for comment, a Google spokesperson said, "we’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."

Beyond Chrome, there may be an even larger problem at work as the new class of apps require ever more invasive permissions. In-browser services like Hangouts are more convenient when users don't have to reauthorize the microphone for each session, but those blanket permissions can create a real privacy problem. And as the apps become more common, the privacy problem grows with them. For Ater, that's what makes the bug so serious. "Authorizing a site to use speech recognition will soon be as common as talking to Siri," he told The Verge. If you're worried about keeping control of your computer's microphone, that may be a troubling thought.


Source Article


Interesting video, despite the on screen indications she was still being recorded.  beta_tester_transparent.png

Luminary Signature.png

2016-07-18_12-11-32.png  Microsoft® Windows Insider MVP - Windows Security

Silver VIP

Re: Chrome hack lets websites keep listening after you close the tab

Huge hole and a great reminder.  Thanks for sharing this!



New to the Community? Register now and start posting!

Helpful Webroot Links:

Download (PC)   Download (Best Buy Subscription)   Submit Trouble Ticket   Account Console   User Guides   

"If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!"

WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)
Gold VIP

Re: Chrome hack lets websites keep listening after you close the tab

Oh my Goodness..thank you for sharing this!


original.png Microsoft® Windows Insider MVP - Windows Security

Helpful Webroot Links:

Download (PC) | Download (Best Buy Subscription) | Submit Trouble Ticket | Account Console | User_Guides | BrightCloud URL lookup

and Introduce yourself to The Community!

ALIENWARE 17R4 Win 10 Pro x64 / Mac OS X El Capitan (10.11.6), IPad's, PCs,W 10 & W 8.1 R Pro. W 7 Pro ..Lenovo (VM:10) & Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Note 4) Beta Tester,Windows Insider Builds