Dev reckons exploit lets sneaky sites listen in on your mic – El Reg investigates
By Neil McAllister, 23rd January 2014 Updated A design flaw in the Chrome browser allows malicious websites to use your computer's microphone to eavesdrop on you, one developer has claimed, although Google denies this is the case."Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised," Israeli developer Tal Ater wrote in a blog post on Wednesday.
According to Ater, the vulnerability arises when sites aren't completely forthright about when they are using the microphone.
Ordinarily, users must explicitly give permission to each site that requests to use the mic, and Chrome displays a blinking red dot in the page's tab as long as the site is recording. But Ater says that's not enough to prevent malicious sites from hiding what they're doing.
"When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden pop-under window," Ater wrote. "This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there."
For secure HTTPS sites, Chrome will even remember that you gave a site permission to use the microphone and will maintain that permission between browser sessions without asking you again.
Ater says he alerted Google to the dangers of this behavior last September. But although the web kingpin's engineers acted immediately, a patch was created to address Ater's concerns, and Ater's bug disclosure was even nominated for a bug bounty, the patch has yet to be merged into the mainstream Chrome code base.
Full Article