Chrome bug allows sites to listen on conversations after you close them
Speech recognition is one of the big things that will improve a lot in coming years. Right now, it boils down to giving short commands, or recording what you talk into the microphone.
Eventually, you won't be using the keyboard anymore but use voice to command your computer, at least for the majority of tasks.
Back last year it became known that the NSA can turn on the iPhone camera and microphone without the user knowing about it.
This was also the time when a new security issue was reported to Google that was found in Chrome. It described a way that malicious websites could use to continue listen in on what is being said around the computer after the website the speech functionality was used on was long closed.
First of all, it means that users who do not use speech recognition right now have nothing to worry about. If you are using speech recognition in Google Chrome, you may want to know more about the bug.
When you use speech in Chrome, a prime example is the main Google search engine where you can search by voice, you need to explicitly allow that before the feature becomes available.
Once enabled, a clear indicator is shown in the address bar that speech is enabled and that the site is listening. Any noise that is in reach gets recorded and send to the site in question.
The problem here is that sites may open a second window on the screen, a popup maybe that is hidden underneath the main window.
Since there is no restriction in regards to which page of the site can listen in on the conversation, this can be exploited. The second window can be disguised as a banner ad for example, and since it does not give any indication that speech is enabled, you may not even notice anything suspicious about it.
So, you enable use of the microphone on a site, that site spawns a hidden popunder window, you stop the microphone use and while everything seems normal to you, the site continues to listen in on your conversations.
Here is a video demonstration of the concept.
The only way to stop this right now is to close Chrome completely after you use speech in the browser, or to make sure that no secondary page of that site spawned in another window or is open in another tab.
The full source code of the exploit was hosted on GitHub by the author, so that you can check it out yourself if that is of interest to you.Advertisement