This Google Chrome vulnerability will literally leave you speechless

Your favorite web browser is susceptible to a vulnerability that will – I’m choosing my words carefully – quite literally take your breath away.

Google Chrome has thousands of user submitted issues regarding bugs but this isn’t unique to Chrome.  Firefox and Internet Explorer have their share of problems too but exploiting this Chrome bug is uniquely nefarious because it allows a malicious website to usurp your microphone and discretely record your voice.

When you visit a website that requests your microphone, such as Google Voice search on the desktop, Chrome displays a little alert box explaining that such and such website wants to use your microphone.

Google Chrome Voice Search

If you indiscriminately trust the site and click Allow you’ll see a pulsating red bulb in the tab indicating that its recording…

The noisy tab continues to glow until you explicitly stop the recording or close the browser.   When you stop the recording, the site authorized to use your mic turns the  red light off so it appears that all recording activity has ceased…

Google Chrome Noisy Tabs

But as long as Chrome is running a malicious site could still intercept your speech and continue recording it without your knowledge.

An unsavory webmaster could code a Javascript pop-under to silently load behind your main browser window. The pop-under could lurk in the background, inert, but poised to trigger on specific keywords.  It could even masquerade as a valid banner advertisement which further obfuscates the true purpose of the ad.  The problem is that there’s no indication that the pop-under is malignant.  It seems benign and looks 100% authentic… but in reality it can furtively upload your private conversations to a remote server.

A dexterous developer from Israel named Tal Ater noticed the issue and posted the problem on his blog, Youtube channel and GitHub repository.  He also made Google aware of the problem on September 13th 2013.  Five days later Google swiftly patched the exploit but it never became available to the public.

That’s right, even though Google crafted a fix it never deployed it.  According to a Google spokesperson:

We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.

So while the world waits on the W3C standards group to agree on the proper way to handle this debacle we’re left wondering if our voices are being illicitly recorded and sent to pernicious hackers.

Fortunately, there are two things we can do to thwart the machinations of evil hackers.

Slap open Google Chrome and enter this in the address bar:

chrome://settings/contentExceptions#media-stream

You’ll get the inside scoop on all the servers that have permission to use your microphone and camera. Click the X next to any untrusted sources then commit your changes by clicking Done.

Google Chrome Media Exceptions

For extra security you could take a nuclear approach and stymie all applications from ever using your microphone and camera.

This is a sweeping move and isn’t ideal; however, you deserve to know how to do it:

Enter this in the address bar:

chrome://settings/content

Then select Do not allow sites to access my camera and microphone

Google Chrome Content Settings

The Bottom Line

As software continues to welcome voice commands and interactive controls become increasingly ascendant, people with evil intent will seek novel ways to wreak mayhem.

The bottom line is that Google needs to grow a pair and fix this serious vulnerability.  Patching a security hole is futile until it’s pushed to the public.

You could argue that most people aren’t using web resources that require camera and microphone access; however, this will undoubtedly change as more people launch web based video conferencing tools and new cloud based hardware like Google’s Chromebooks become ubiquitous.

What do you think about this exploit? Am I the only one who thinks this exemplifies atrocious UI design on Google’s part?

About

Connect with Vonnie on Twitter

Posted in Google Chrome, Web Browsers Tagged with: ,