A very shocking fact was found for vulnerability in Google’s Chrome browser which allows websites to listen aka record a user through computer’s microphone secretly. Researchers have found that a software was made, which works on principle of speech recognition.
Tal Ater, a program developer on speech recognition discovered the exploit in Chrome’s speech recognition software on September 13, 2013. Within 10 days of the incident, Google released a patch on September 24, 2013.
Ater writes in a blog post, "On Sept. 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000). Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than two weeks from my initial report. I was ecstatic. The system works. But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behavior — ‘Nothing is decided yet.’”
As per Google, the fix was released but never implemented because Chrome complies with regulatory guidelines despite the vulnerability.
Google expressed the below statement to Engadget:
“The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.”
How about the bug on Chrome and how the exploit works?
Various malicious sites use pop-under windows which enables it to listen to Chrome users even after they have closed that website page or even closed the main browser window.
Ater added that “This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there. To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that Speech Recognition is turned on in such windows — only in regular Chrome tabs.”
Ater published a video on Youtube, which shows how the exploit works.