Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

This Google Chrome vulnerability will literally leave you speechless - fixedByVonnie

This Google Chrome vulnerability will literally leave you speechless

Your favorite web browser is susceptible to a vulnerability that will – I’m choosing my words carefully – quite literally take your breath away.

Google Chrome has thousands of user submitted issues regarding bugs but this isn’t unique to Chrome.  Firefox and Internet Explorer have their share of problems too but exploiting this Chrome bug is uniquely nefarious because it allows a malicious website to usurp your microphone and discretely record your voice.

When you visit a website that requests your microphone, such as Google Voice search on the desktop, Chrome displays a little alert box explaining that such and such website wants to use your microphone.

Google Chrome Voice Search

If you indiscriminately trust the site and click Allow you’ll see a pulsating red bulb in the tab indicating that its recording…

The noisy tab continues to glow until you explicitly stop the recording or close the browser.   When you stop the recording, the site authorized to use your mic turns the  red light off so it appears that all recording activity has ceased…

Google Chrome Noisy Tabs

But as long as Chrome is running a malicious site could still intercept your speech and continue recording it without your knowledge.

An unsavory webmaster could code a Javascript pop-under to silently load behind your main browser window. The pop-under could lurk in the background, inert, but poised to trigger on specific keywords.  It could even masquerade as a valid banner advertisement which further obfuscates the true purpose of the ad.  The problem is that there’s no indication that the pop-under is malignant.  It seems benign and looks 100% authentic… but in reality it can furtively upload your private conversations to a remote server.

A dexterous developer from Israel named Tal Ater noticed the issue and posted the problem on his blog, Youtube channel and GitHub repository.  He also made Google aware of the problem on September 13th 2013.  Five days later Google swiftly patched the exploit but it never became available to the public.

That’s right, even though Google crafted a fix it never deployed it.  According to a Google spokesperson:

We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.

So while the world waits on the W3C standards group to agree on the proper way to handle this debacle we’re left wondering if our voices are being illicitly recorded and sent to pernicious hackers.

Fortunately, there are two things we can do to thwart the machinations of evil hackers.

Slap open Google Chrome and enter this in the address bar:

chrome://settings/contentExceptions#media-stream

You’ll get the inside scoop on all the servers that have permission to use your microphone and camera. Click the X next to any untrusted sources then commit your changes by clicking Done.

Google Chrome Media Exceptions

For extra security you could take a nuclear approach and stymie all applications from ever using your microphone and camera.

This is a sweeping move and isn’t ideal; however, you deserve to know how to do it:

Enter this in the address bar:

chrome://settings/content

Then select Do not allow sites to access my camera and microphone

Google Chrome Content Settings

The Bottom Line

As software continues to welcome voice commands and interactive controls become increasingly ascendant, people with evil intent will seek novel ways to wreak mayhem.

The bottom line is that Google needs to grow a pair and fix this serious vulnerability.  Patching a security hole is futile until it’s pushed to the public.

You could argue that most people aren’t using web resources that require camera and microphone access; however, this will undoubtedly change as more people launch web based video conferencing tools and new cloud based hardware like Google’s Chromebooks become ubiquitous.

What do you think about this exploit? Am I the only one who thinks this exemplifies atrocious UI design on Google’s part?

About

Connect with Vonnie on Twitter

Posted in Google Chrome, Web Browsers Tagged with: ,