Chrome lets websites secretly record you?! Google says no, but...

  • 25 January 2014
  • 1 reply
  • 6 views

Userlevel 7

Dev reckons exploit lets sneaky sites listen in on your mic – El Reg investigates

By Neil McAllister, 23rd January 2014  Updated A design flaw in the Chrome browser allows malicious websites to use your computer's microphone to eavesdrop on you, one developer has claimed, although Google denies this is the case.
 
"Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised," Israeli developer Tal Ater wrote in a blog post on Wednesday.
 
 According to Ater, the vulnerability arises when sites aren't completely forthright about when they are using the microphone.
Ordinarily, users must explicitly give permission to each site that requests to use the mic, and Chrome displays a blinking red dot in the page's tab as long as the site is recording. But Ater says that's not enough to prevent malicious sites from hiding what they're doing.
 
"When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden pop-under window," Ater wrote. "This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there."
 
For secure HTTPS sites, Chrome will even remember that you gave a site permission to use the microphone and will maintain that permission between browser sessions without asking you again.
 
Ater says he alerted Google to the dangers of this behavior last September. But although the web kingpin's engineers acted immediately, a patch was created to address Ater's concerns, and Ater's bug disclosure was even nominated for a bug bounty, the patch has yet to be merged into the mainstream Chrome code base.
 
 Full Article

1 reply

Userlevel 7
Badge +26
Google really has some 'splainin to do lately about this. First off they let extension devs sell out to malware authors and no word is given to the user and now this.... wow.

Reply