Google Chrome Allows Eavesdropping, Researcher Claims

  /     /     /  
Publicated : 22/11/2024   Category : security


Google Chrome Allows Eavesdropping, Researcher Claims


Google doesnt recognize the browser behavior as a security issue.



The way that Google Chrome allows web apps to access microphones in computers is being described by a web developer as a security flaw.
Tal Ater, a programmer based in Israel, on Tuesday
published details about the issue
 on his website. He says he has been working with Google engineers since first reporting the issue on Sept. 13, 2013.
Google doesnt recognize the issue, demonstrated in this
YouTube video
, as a valid exploit, and insists Chrome is safe and performing as expected.
Chrome provides access to a computers microphone (if one exists) on the host device through the Web Speech API. After seeking permission, Googles browser allows users to click on the microphone icon in the Google Search input box to listen for spoken words that can be recognized by the companys speech-to-text algorithms and turned into text-based search queries.
[Are you still using one of the 25 least secure passwords? See
Password No Longer Worst Password
.]
Two months ago, Google also released a Chrome extension that allows
hotwording
-- having the host device listen constantly for a key phrase like ok Google, in order to automatically interpret whatever words follow as a voice command.
But in pushing the boundaries of browser development, Google may have provided malicious hackers with an opportunity to spy on the unsuspecting, Ater claims.
Googles security team developed a fix to the identified vulnerabilities within two weeks, Ater says, but has been waiting for the W3C, the web standards body, to agree on the best approach to fix the flaw.
Google in an email statement put it another way: The security of our users is a top priority, and this feature was designed with security and privacy in mind. Weve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.
Ater explained in a previous email that Chrome does not comply with the W3Cs unfinished specification for Web Speech, which states that code implementing the Web Speech API should abort an active speech input session if the webpage lost input focus to another window or to another tab within the same user agent, in order to reduce the chance of allowing websites to record without the users knowledge.
But that recommendation was struck from the specification last November. The Web Speech API errata calls for
the deletion that very sentence
. This appears to make the scenario depicted in Aters video -- in which a hidden pop-under window continues recording surreptitiously after the user has granted recording permission and then navigated to another website -- acceptable, at least from a standards perspective.
Ater says he agrees that it was a good idea to remove the restriction because there are times when one might want a background window active during speech recognition. He also agrees that speech recognition permission should be allowed to persist across sessions. 
The problem is that the current implementation allows turning on speech recognition in a background window or tab that the user has never interacted with and may not be aware is there, Ater said. Add to this the fact that there is no visual indication in pop-up windows for speech recognition being turned on, and you have a perfect combination of little bugs and issues coming together to create an exploit that is more than the sum of its parts.
Such behavior appears to allow Chrome to be turned into a covert listening device, but because Google has addressed some of these issues, its not clear how easy abuse might be. Ater has posted
sample exploit code
in a Github repository.
I think the severity of this exploit should be measured by how it can be used to create something which can affect a users privacy, and not by the severity of each of its small parts, said Ater.
The Chromium team is working on at least one other
microphone-related security issue
.
None of this is entirely surprising. Microphones have represented a security vulnerability for more or less as long as theyve been around, but theyre even more of a potential threat in an era of mobile, network-connected devices. In 2008, security researchers identified
a flaw in Adobe Flash
that allowed webcams to be hijacked for surreptitious surveillance. A related
Flash for Chrome vulnerability
surfaced last year. Also last year, Cisco published a warning of an exploit that could turn one of its IP phones into a surreptitious listening device.
Back in the 1980s and for years after that, Lucasfilms acoustics certification group THX ran thundering trailers in movie theaters that declared The audience is listening. Today, the computers are listening, quietly but attentively.
Thomas Claburn
is editor-at-large for InformationWeek. He has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television. Hes the author of a science fiction novel,
Reflecting Fires
, and his mobile game Blocfall Free is available for
iOS
,
Android
, and
Kindle Fire
.
InformationWeek Conference
 is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nations leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. 
You can find out more information and register here
. In Las Vegas, March 31 to April 1, 2014.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Chrome Allows Eavesdropping, Researcher Claims