Feeds

Chrome lets websites secretly record you?! Google says no, but...

Dev reckons exploit lets sneaky sites listen in on your mic – El Reg investigates

5 things you didn’t know about cloud backup

Updated A design flaw in the Chrome browser allows malicious websites to use your computer's microphone to eavesdrop on you, one developer has claimed, although Google denies this is the case.

"Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised," Israeli developer Tal Ater wrote in a blog post on Wednesday.

According to Ater, the vulnerability arises when sites aren't completely forthright about when they are using the microphone.

Ordinarily, users must explicitly give permission to each site that requests to use the mic, and Chrome displays a blinking red dot in the page's tab as long as the site is recording. But Ater says that's not enough to prevent malicious sites from hiding what they're doing.

"When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden pop-under window," Ater wrote. "This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there."

For secure HTTPS sites, Chrome will even remember that you gave a site permission to use the microphone and will maintain that permission between browser sessions without asking you again.

Ater says he alerted Google to the dangers of this behavior last September. But although the web kingpin's engineers acted immediately, a patch was created to address Ater's concerns, and Ater's bug disclosure was even nominated for a bug bounty, the patch has yet to be merged into the mainstream Chrome code base.

According to Ater, the Chocolate Factory's engineers are still in discussions with its internal web standards group to determine the best course of action – which is why he ultimately chose to publish exploit code on Github.

No bug here, says Google

But when El Reg asked Google to comment on Ater's claims, we heard a different side of the story. "The security of our users is a top priority, and this feature was designed with security and privacy in mind," a spokesperson told us.

For one thing, per Google's documentation, the blinking red light in the browser tab isn't the only way Chrome lets you know when it's using cameras or microphones. You can also check which browser window or tab is recording by clicking a persistent icon in the Windows system tray or the OS X status menu, the help page says.

Chrome Bug Lets Sites Listen to Your Conversations

For another, Google argues that the recording feature works how it was meant to work. Chrome first gained voice input support with the release of Chrome 25 last February. But what made it possible is the Web Speech API, a recent spec from the W3C, the web's primary standards body.

"The feature is in compliance with the current W3C specification, and we continue to work on improvements," a Google spokesperson told The Reg.

Ater, on the other hand, maintains that the Web Speech API requires browsers to abort speech input sessions whenever the user changes windows or tabs, to prevent the kind of abuse he describes. But the language that mandates that behavior was removed from the spec in a later errata, so that no longer appears to be the case.

And yet something seems to be fishy, because when we tried out some Web Speech API demos here at Vulture Annex in San Francisco – including Ater's exploit code and even Google's own demo – no persistent icon appeared in the system trays of our Windows machines or the status menu of our OS X computers while Chrome was listening, contrary to Google's online documentation.

It's possible that this feature was removed from recent builds of Chrome in the four months since Ater first demonstrated his exploit. If so, that would seem to make Ater's claims all the more valid, since it makes it even harder to spot when the microphone is active. Google so far has only offered a canned statement, and has yet to respond to our request for clarification on this apparent change.

Still, while it's debatable whether Chrome does enough to alert users when it's accessing their cameras or microphones, El Reg knows of at least one surefire way for Chrome users to be sure they're not being listened in on. From the main menu, choose Settings, click "Show advanced settings...", click Content Settings, then scroll down and select "Do not allow sites to access my camera and microphone." Problem solved. ®

Update

Tal Ater emailed The Reg on Thursday to correct a statement we made in an earlier version of this story. Initially, we thought that a camera icon that is visible on the OS X status bar in Ater's video was the "persistent icon" described in Google's Chrome documentation. According to Ater, that's not the case:

The icon shown in the video is the icon for ScreenFlow, the application I used to record the demo video, and not a Chrome icon. Just like in your tests, I never saw an icon indicating that the mic is on, in the system tray or OS X menu.

It seems that Google's documentation on this feature may simply be in error, at least for current builds of Chrome.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.