By exploiting the voice control feature that is standard on many computers, smartphones and tablets, hackers can turn Google Chrome into a listening device to record your conversations without your knowledge, according to a web developer.
The developer, an employee at a start-up in Tel Aviv and an authority in voice recognition technology, explained on his blog how malicious websites could hack your Chrome browser to listen in on your personal moments through your computer’s microphone:
A user visits a site, that uses speech recognition to offer some cool new functionality. The site asks the user for permission to use his mic, the user accepts, and can now control the site with his voice. Chrome shows a clear indication in the browser that speech recognition is on, and once the user turns it off, or leaves that site, Chrome stops listening. So far, so good.
But what if that site is run by someone with malicious intentions?
Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can’t start listening to you in background windows that are hidden to you.
When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.
To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that Speech Recognition is turned on in such windows – only in regular Chrome tabs.
Google responded to the developer’s findings with the following statement: “The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.”
But considering that almost everyone has a computer or smartphone vulnerable to the flaw, users concerned about their privacy should take precautions when using Google Chrome. By checking the privacy settings on their devices and in Chrome (settings > show advanced settings > content settings in the privacy section), users can see what websites or applications have asked for permission to use the microphones on their devices.