Feeds

Chrome lets websites secretly record you?! Google says no, but...

Dev reckons exploit lets sneaky sites listen in on your mic – El Reg investigates

Choosing a cloud hosting partner with confidence

Updated A design flaw in the Chrome browser allows malicious websites to use your computer's microphone to eavesdrop on you, one developer has claimed, although Google denies this is the case.

"Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised," Israeli developer Tal Ater wrote in a blog post on Wednesday.

According to Ater, the vulnerability arises when sites aren't completely forthright about when they are using the microphone.

Ordinarily, users must explicitly give permission to each site that requests to use the mic, and Chrome displays a blinking red dot in the page's tab as long as the site is recording. But Ater says that's not enough to prevent malicious sites from hiding what they're doing.

"When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden pop-under window," Ater wrote. "This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there."

For secure HTTPS sites, Chrome will even remember that you gave a site permission to use the microphone and will maintain that permission between browser sessions without asking you again.

Ater says he alerted Google to the dangers of this behavior last September. But although the web kingpin's engineers acted immediately, a patch was created to address Ater's concerns, and Ater's bug disclosure was even nominated for a bug bounty, the patch has yet to be merged into the mainstream Chrome code base.

According to Ater, the Chocolate Factory's engineers are still in discussions with its internal web standards group to determine the best course of action – which is why he ultimately chose to publish exploit code on Github.

No bug here, says Google

But when El Reg asked Google to comment on Ater's claims, we heard a different side of the story. "The security of our users is a top priority, and this feature was designed with security and privacy in mind," a spokesperson told us.

For one thing, per Google's documentation, the blinking red light in the browser tab isn't the only way Chrome lets you know when it's using cameras or microphones. You can also check which browser window or tab is recording by clicking a persistent icon in the Windows system tray or the OS X status menu, the help page says.

Chrome Bug Lets Sites Listen to Your Conversations

For another, Google argues that the recording feature works how it was meant to work. Chrome first gained voice input support with the release of Chrome 25 last February. But what made it possible is the Web Speech API, a recent spec from the W3C, the web's primary standards body.

"The feature is in compliance with the current W3C specification, and we continue to work on improvements," a Google spokesperson told The Reg.

Ater, on the other hand, maintains that the Web Speech API requires browsers to abort speech input sessions whenever the user changes windows or tabs, to prevent the kind of abuse he describes. But the language that mandates that behavior was removed from the spec in a later errata, so that no longer appears to be the case.

And yet something seems to be fishy, because when we tried out some Web Speech API demos here at Vulture Annex in San Francisco – including Ater's exploit code and even Google's own demo – no persistent icon appeared in the system trays of our Windows machines or the status menu of our OS X computers while Chrome was listening, contrary to Google's online documentation.

It's possible that this feature was removed from recent builds of Chrome in the four months since Ater first demonstrated his exploit. If so, that would seem to make Ater's claims all the more valid, since it makes it even harder to spot when the microphone is active. Google so far has only offered a canned statement, and has yet to respond to our request for clarification on this apparent change.

Still, while it's debatable whether Chrome does enough to alert users when it's accessing their cameras or microphones, El Reg knows of at least one surefire way for Chrome users to be sure they're not being listened in on. From the main menu, choose Settings, click "Show advanced settings...", click Content Settings, then scroll down and select "Do not allow sites to access my camera and microphone." Problem solved. ®

Update

Tal Ater emailed The Reg on Thursday to correct a statement we made in an earlier version of this story. Initially, we thought that a camera icon that is visible on the OS X status bar in Ater's video was the "persistent icon" described in Google's Chrome documentation. According to Ater, that's not the case:

The icon shown in the video is the icon for ScreenFlow, the application I used to record the demo video, and not a Chrome icon. Just like in your tests, I never saw an icon indicating that the mic is on, in the system tray or OS X menu.

It seems that Google's documentation on this feature may simply be in error, at least for current builds of Chrome.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.