Feeds

Chrome lets websites secretly record you?! Google says no, but...

Dev reckons exploit lets sneaky sites listen in on your mic – El Reg investigates

Build a business case: developing custom apps

Updated A design flaw in the Chrome browser allows malicious websites to use your computer's microphone to eavesdrop on you, one developer has claimed, although Google denies this is the case.

"Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised," Israeli developer Tal Ater wrote in a blog post on Wednesday.

According to Ater, the vulnerability arises when sites aren't completely forthright about when they are using the microphone.

Ordinarily, users must explicitly give permission to each site that requests to use the mic, and Chrome displays a blinking red dot in the page's tab as long as the site is recording. But Ater says that's not enough to prevent malicious sites from hiding what they're doing.

"When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden pop-under window," Ater wrote. "This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there."

For secure HTTPS sites, Chrome will even remember that you gave a site permission to use the microphone and will maintain that permission between browser sessions without asking you again.

Ater says he alerted Google to the dangers of this behavior last September. But although the web kingpin's engineers acted immediately, a patch was created to address Ater's concerns, and Ater's bug disclosure was even nominated for a bug bounty, the patch has yet to be merged into the mainstream Chrome code base.

According to Ater, the Chocolate Factory's engineers are still in discussions with its internal web standards group to determine the best course of action – which is why he ultimately chose to publish exploit code on Github.

No bug here, says Google

But when El Reg asked Google to comment on Ater's claims, we heard a different side of the story. "The security of our users is a top priority, and this feature was designed with security and privacy in mind," a spokesperson told us.

For one thing, per Google's documentation, the blinking red light in the browser tab isn't the only way Chrome lets you know when it's using cameras or microphones. You can also check which browser window or tab is recording by clicking a persistent icon in the Windows system tray or the OS X status menu, the help page says.

Chrome Bug Lets Sites Listen to Your Conversations

For another, Google argues that the recording feature works how it was meant to work. Chrome first gained voice input support with the release of Chrome 25 last February. But what made it possible is the Web Speech API, a recent spec from the W3C, the web's primary standards body.

"The feature is in compliance with the current W3C specification, and we continue to work on improvements," a Google spokesperson told The Reg.

Ater, on the other hand, maintains that the Web Speech API requires browsers to abort speech input sessions whenever the user changes windows or tabs, to prevent the kind of abuse he describes. But the language that mandates that behavior was removed from the spec in a later errata, so that no longer appears to be the case.

And yet something seems to be fishy, because when we tried out some Web Speech API demos here at Vulture Annex in San Francisco – including Ater's exploit code and even Google's own demo – no persistent icon appeared in the system trays of our Windows machines or the status menu of our OS X computers while Chrome was listening, contrary to Google's online documentation.

It's possible that this feature was removed from recent builds of Chrome in the four months since Ater first demonstrated his exploit. If so, that would seem to make Ater's claims all the more valid, since it makes it even harder to spot when the microphone is active. Google so far has only offered a canned statement, and has yet to respond to our request for clarification on this apparent change.

Still, while it's debatable whether Chrome does enough to alert users when it's accessing their cameras or microphones, El Reg knows of at least one surefire way for Chrome users to be sure they're not being listened in on. From the main menu, choose Settings, click "Show advanced settings...", click Content Settings, then scroll down and select "Do not allow sites to access my camera and microphone." Problem solved. ®

Update

Tal Ater emailed The Reg on Thursday to correct a statement we made in an earlier version of this story. Initially, we thought that a camera icon that is visible on the OS X status bar in Ater's video was the "persistent icon" described in Google's Chrome documentation. According to Ater, that's not the case:

The icon shown in the video is the icon for ScreenFlow, the application I used to record the demo video, and not a Chrome icon. Just like in your tests, I never saw an icon indicating that the mic is on, in the system tray or OS X menu.

It seems that Google's documentation on this feature may simply be in error, at least for current builds of Chrome.

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.