Google is downplaying fears over a vulnerability in a speech recognition feature in Chrome that would allow eavesdropping of users if a malicious website were given permission to access the application, even if the user is not actively on the site.
“By exploiting bugs in Google Chrome, malicious sites can activate your microphone, and listen in on anything said around your computer, even after you’ve left those sites,” wrote web developer Tal Ater. “Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised.”
Ater produced the following video demonstrating the exploit:
Last fall Google had nominated Ater for a bug bounty reward for discovering the vulnerability, and had a patch ready to deploy as early as September 24, but then subsequently decided the disclosure did not qualify Ater for the prize, and has since never released the patch.
The company based its decision on compliance with the W3C (World Wide Web Consortium) coding standards, and said the application was designed with user security as a priority.
“We’ve reinvestigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it,” Google said in a statement.
Despite Google’s assertion that the threat is mitigated by user’s ability to control which websites they grant permission to use the speech recognition feature, Ater still believes that there is still a threat from sites who may use less than friendly methods – such as those that use “popunder” windows – and is hopeful Google will move ahead with the patch.
“As the maintainer of a popular speech recognition library, it may seem that I shot myself in the foot by exposing this. But I have no doubt that by exposing this, we can ensure that these issues will be resolved soon, and we can all go back to feeling very silly talking to our computers,” Ater said.
Read More Here…