Chrome Bug Allow Sites to Listen in Even After You Close Tabs

Tal Ater, a software engineer has unearthed a Google Chrome security vulnerability which allows websites to continue using your computer’s microphone and listen to you even if you close those tabs.

Tal says he reported the bug in September, and developers made a fix ready in a week’s time. But Google is still waiting on  Standards group to agree on the best course of action, and this bug still exists on our browsers.

Here is the story:

I discovered this exploit while working on annyang, a popular JavaScript Speech Recognition library. My work has allowed me the insight to find multiple bugs in Chrome, and to come up with this exploit which combines all of them together.

Wanting speech recognition to succeed, I of course decided to do the right thing…

I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.)

Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report.

I was ecstatic. The system works.

But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour – “Nothing is decided yet.”

As of today, almost four months after learning about this issue, Google is still waiting for the Standards group to agree on the best course of action, and your browser is still vulnerable.

Here is a video demo:

For now, be careful about websites that ask your permission to access microphone.

Leave a Reply

Your email address will not be published.