Listen, Chrome…

January 30, 2014

It appears that PCs are not only able to spy on you via cameras, but they’re also able to listen in on you on as well, and in a discreet manner! The only requirements are Google Chrome must be installed on a user’s PC and it must have a microphone.


It comes as no surprise that modern websites are capable of interacting with a wide range of PC peripherals. Of course, a user has to give consent, but that process is usually pretty easy and involves just one click of the ‘Yes’ button. For instance, in order to upload a photo to a social network profile, one just needs to confirm the pop-up request coming from the website and allow the built-in camera to take a picture. In order to prevent the website from abusing the rights granted by the user, the browser needs to take them away from the webpage. But could it be true that the web resource, without the user’s consent, is continuing to control some of the PC functions?

Tal Ater, an Israeli software developer, proved that there is a good chance of this happening. The vulnerability he found in the code of the popular Google Chrome browser, if exploited by a cybercriminal, might turn an ordinary PC into the perfect resource for spying on a user. The only thing they have to do is lure the user into taking advantage of a voice recognition capability and allow the website to turn on the microphone on a single occasion. From that moment on, the criminal is able to record the sound via microphone, even after the page has been closed. In addition to that, a red blinking indicator on the web browser bar task, which serves as a notice that a recording is in progress, conveniently turns off, leading the user to believe the recording has ended.

The vulnerability found in the code of the popular Google Chrome browser, if exploited by a cybercriminal, might turn an ordinary PC into the perfect resource for spying on a user.

To present his proof of discovery, Ater recorded a 4-minute video. It shows perfectly how a user opens and closes a compromised webpage, which uses speech-to-text capabilities, but then continues to record the sound in background mode. The sound data is then sent to Google servers to be converted into text, and then returned to fall into the criminal’s waiting hands.

To make matters worse, the majority of speech-aware websites use a protected https connection. In these cases, Chrome remembers that the page was allowed to use the microphone previously and does not ask for permission again the next time. Moreover, this vulnerability could be tweaked so that certain words are used as triggers to start recording automatically. A ready-made tool for spying on people!

Curiously enough, Google was aware of the vulnerability back in September. Before going public with his discovery, Tal Ater contacted the search giant to let them know. In less than two weeks, the company representatives sent him confirmation that the bug had been fixed and the patch was ready. However, it was never published, even four months later. We can only guess why developers of one of the most important browsers reacted so casually.

We recommend users stay alert, or even abstain from voice recognition webpages when using Chrome. As a last resort, you can offload the browser, together with all the bookmarks and processes running – this way it won’t be able to record anything, or send any data to a cybercriminal.