Shhh! Shazam is always listening – even when it's been switched 'off'

A security researcher has discovered that when the Mac version of Shazam is switched off, it simply stops processing recorded data. The recording itself continues.

The music identification service admits the behaviour but says it only keeps recording purely for technical reasons.

Patrick Wardle, a former NSA staffer who heads up research at infosec biz Synack, confirmed Shazam's "always listening" behaviour following a tip-off from a user of his webcam/mic monitoring tool, OverSight.¹

This person didn't see a "Mic Off" alert when they turned off Shazam on their Mac, which prompted Wardle to do some digging.

"In short, turns out that when Shazam (macOS) is toggled 'OFF' it simply stops processing recorded data... However, recording continues," Wardle told El Reg.

Shazam lends its ears to your Mac

Waddle reached this conclusion after reverse engineering Shazam and closely examining how it worked, as detailed in a blog post here. "I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc)," Wardle concluded. "However, I still don't like an app that appears to be constantly pulling audio off my computer's internal mic."

Shazam confirmed Wardle's findings that its Mac app is continually recording even when "off" but told The Register that this behaviour was benign.

For the Mac, the mic is left on for technical reasons explained below but no audio is processed, so the user's decision not to leverage our app's functionality is fully respected. As such, there is no privacy issue since the audio is not processed unless the user actively turns the app "ON". If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users "miss out" on a song they were trying to identify.

James A Pearson, VP of global communications at Shazam, added: "There is no 'recording' bug. Shazam takes user privacy very seriously. Shazam does not save or send audio samples; only digital fingerprint summaries of the audio are sent to Shazam's servers to identify media content in Shazam's databases. As always, for user privacy, the original audio cannot be reconstructed from Shazam audio fingerprints."

Shazam's techies promised Wardle that a forthcoming update would change the problematic behaviour, an assurance not contained in its statement to El Reg, which generally downplays the situation. Wardle remains at least mildly concerned.

"My whole problem with Shazam was, when I turn the app to 'OFF' I'd expect it to stop recording," Wardle said. "But instead, they continue recording – and just stop processing the data. IMHO this is not ideal as the app is still recoding – it's nice of them to stop processing that data, but yah, they are still recording all the time."

This raises "valid privacy concerns" as well as creating a potential security risk, according to Wardle.

"A piece of malware could easily inject into the app and 'steal' or 'clone' that recording, without having to initiate its own recording (thus avoiding any recording alerts)," he warned.

James A. Pearson, VP Global Communications, Shazam, got in touch to say: "Contrary to recent rumors, Shazam doesn’t record anything. Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted.

"We are always sensitive to what our users experience and we respect these concerns and take them very seriously. Even though we don't recognize a meaningful risk, the company will be updating its Mac app within the next few days. Shazam has always learned from and listened to our global community. More importantly, we want our fans to always feel secure about using Shazam on a Mac Desktop." ®

Bootnote

¹Separate recent research by Wardle showed how advanced Mac malware might be able piggy-back on to legitimate webcam sessions in order to surreptitiously record the local user. OverSight was developed as a free tool to thwart this potential line of attack, as previously reported.