Tal Ater, a software engineer has unearthed a Google Chrome security vulnerability which allows websites to continue using your computer’s microphone and listen to you even if you close those tabs.
Tal says he reported the bug in September, and developers made a fix ready in a week’s time. But Google is still waiting on Standards group to agree on the best course of action, and this bug still exists on our browsers.
Here is the story:
Wanting speech recognition to succeed, I of course decided to do the right thing…
I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.)
Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report.
I was ecstatic. The system works.
But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour – “Nothing is decided yet.”
As of today, almost four months after learning about this issue, Google is still waiting for the Standards group to agree on the best course of action, and your browser is still vulnerable.
Here is a video demo:
For now, be careful about websites that ask your permission to access microphone.