Do you use speech recognition in Google Chrome? If yes, here’s something to worry about. Developer Tal Ater has discovered a bug in Google’s popular browser that malicious websites, enabled for voice-recognition, could exploit to listen in on the conversation taking place around the computer without your knowledge.
The problem lies in Chrome’s microphone permissions policy. Once you allow an HTTPS website to access your microphone, every instance of the website (including pop-ups) has the same permission. To a user, it may seem as though a pop-up window is not doing anything evil, but in reality it could be transcribing everything they say.
In the demo, Alter closed the tab and continued talking, while a pop-up behind the main Chrome window kept on transcribing whatever he said. This pop-up was just for demonstration purposes. In reality, a pop-up could be disguised as a banner ad for example, and since Chrome does not show any visual indication that Speech Recognition is turned on in such windows, you might never know what’s actually happening.
Alter first reported the bug in September last year. Google acknowledged the loophole, nominated the bug for Chromium’s Reward Panel, and even fixed it. But the fix never made it to users’ desktops, which means that your Chrome browser is still vulnerable.
When asked, a Google spokesperson told The Verge: “we’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.\”
This is yet another example of how technology is threatening privacy. Last month we reported research which revealed that it is possible for an individual or a government agency to remotely activate a built-in laptop webcam without the user knowing about it.