Voice control is an awesomely futuristic way to control your technology like a spaceman, but only if you can trust it. So you might want to stay tight-lipped around Chrome; Google’s browser has a dangerous security flaw that can let malicious sites eavesdrop on your every word.
Discovered by web developer and Gizmodo reader Tal Ater, the bug in question is simple when exploited. All a malicious site has to do is get you to enable voice control for any legitimate purpose — maybe you want to dictate some text to a webapp, or record some noise for whatever reason — and it can potentially access your computer’s mic long after you’ve navigated away.
All it needs to do is shoot out a pop-under window disguised as an ordinary ad, or something similarly innocuous, to keep your microphone hot. As long as it remains open, every noise you make will be sent back to Google through Chrome, and then on to the snoopers for whatever purpose they see fit. And there’s no way for you to tell that the site you visited 20 minutes ago is still up to no good.
The dirty trick actually requires the use of a number of exploits, but the big one is that in Chrome, only full-on tabs indicate that they’re listening in via your microphone. Smaller banner windows can continue to listen without showing anything at all. Tal reached out to Google with the bugs months ago, and Google confirmed to him that they were security flaws. But four months later, a fix still hasn’t been pushed live to users. As of this post, the exploit still works.
The good news is that you need to initiate Chrome’s voice recognition in the first place for this to work. Until a fix comes, you can protect yourself by just never talking to Chrome, or only activating your microphone on trusted sites. Still, the existence of flaws like this (that aren’t promptly sewn up) makes it a little harder to be excited about the Star Trek future of an always-on microphone can enable, and makes it easier to be creeped out that Google and god-knows-who-else could be listening to talk to yourself at three in the morning.
You can read about the bug in nitty gritty detail over at Tal’s website or check out the exploit code on GitHub. We’ve reached out to Google and will update if and when we hear back.
Update: A Google spokesperson has responded with the following comment:
The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.
Or in other words, it seems that voice recognition behaviour is working as intended in the current stable build of Chrome as far as Google is concerned. But Google has modified pop-under behaviour, and is looking alternative visual indicators for showing when a website is recording.