updated 05:12 pm EST, Thu January 23, 2014
Vulnerability allowed websites to secretly record from a microphone
A security vulnerability in the Chrome browser that allowed malicious websites to secretly record audio through a microphone connected to the computer has been revealed. The exploit, which has been revealed following an apparent lack of progress by Google to implement a patch, could have allowed for the private conversations of nearby individuals to be eavesdropped upon, a developer claims
The flaw, discovered by Tal Ater, allowed sites to record through Chrome's speech recognition system, one employed by Google's desktop voice search extension, without informing the user. While this sounds as if it threatens a user's privacy, the exploit required users to give permission to a site to listen in the first place, though it could still listen in at a later time, when the user was unaware of its recording. "When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden popunder window," advised Ater.
The exploit was revealed to Google's security team privately on September 13th, with suggested fixes identified on September 19th, and a patch created on September 24th. Despite the patch existing, Google is apparently waiting for its web standards group to agree on the patch's release. This delay forced Ater to publish the code for the vulnerability through a website for all to see.
Speaking to The Register, a spokesperson for Google commented "The security of our users is a top priority, and this feature was designed with security and privacy in mind." The spokesperson goes on to claim that the feature "is in compliance with the current W3C specification, and we continue to work on improvements." Earlier this month, Google added a number of new icons for tabs in Chrome, warning if a tab is playing audio, recording, or casting the tab to a Chromecast device.