Google fails to release patch for Chrome's voice recognition exploit


The exploit may allow sites to activate your microphone even after you have exited Chrome.

Google engineers have failed to release a patch to fix a 4-month old exploit which could allow malicious sites to hack user’s microphones through Chrome's voice recognition app.

The company says it has had internal ongoing discussions but has failed to reach a decision to release the update.

According to Annyang programmer Tal Ater-who found the vulnerability four months ago-user's devices will become susceptible to hacker's and spies.

“This may now be compromised by a new exploit which lets malicious sites turn Google Chrome into a listening device, one that can record anything said in your office or your home, as long as Chrome is still running."

The exploit works after a user has given permission to a website to access the microphone for voice recognition purposes. While Chrome indicates the use of the microphone, Ater says malicious sites can continue to listen even after the user has closed the browser. The speech recognition developer says HTTPS connections do not guarantee protection from these sites. Instead, Chrome will not ask for microphone access permission from users in the future, allowing the sites to continue to listen to your conversations.

Atar also warns hidden banners and pop-up windows can also act as a voice recorder which will continue to spy on users even after the browser has been closed. He hopes the patch will make it necessary for sites to show visual indication that Speech Recognition is turned on in such windows.

The dilemma comes only days after Chrome extensions were found to be serving rogue ads through malicious code. Users can report security vulnerabilities and bugs by following these steps.

Source: Talater.com | Image via Logobird

Report a problem with article
Previous Story

GTA V for PC shows up on Amazon, available to pre-order

Next Story

Motorola reveals plans for $50 smartphone, more device customization

28 Comments

View more comments

NoClipMode said,
IE is much more secure than Chrome these days.

IE has ALWAYS been more secure than Chrome, IMO!
Never been anything more than a (dumb) fanboy browser anyway.

Would never install Chrome, even on an enemies computer!

joep1984 said,
So wait...they talked about it, but are arguing about releasing a fix for this? Nice. Keep it classy, Google.

Yeah, what's there to talk about, right? Just fix it and send it through one of those wonderful silent upgrades, along with some cool new spyware

The discussion regards how to best fix it, since the "fix" (which is not a security hole in the traditional sense) will probably impact the end user.

Honestly, this all seems overly hyped. You allow a domain to use your mic and go figure that a pop-up or pop-under (within the same domain no less) will use your mic. It seems more like an oversight than an exploit that the icon notification would not display in the pop-under.

As for listening when the browser is closed...where is that in the video? There's no proof of concept! Am I missing something? Maybe I'm tired from work, but this just seems like sensational B.S.

Ironically, Chrome/Android is suffering the same fate as XP. They are popular and extensible with a convenience-first attitude to security. That might make for cool add-ons to be more available, but it certainly increases the attack surface for malware.

It took years for Microsoft to adopt a security-first model, often to the detriment of usability -- UAC was so annoying when it first came out, and directory virtualization could be such a pain.

Eventually, users will demand more secure platforms.

You must not even have read the article. That comment is off topic.

This has nothing to do with:
- Malware
- Add-ons
- UAC
- Directory virtualization
- Operating system security
- Convenience-first attitudes

Please read firey's comment below for a good summary on this.

It's simply a design / user experience concern. The "exploit" isn't due to a security hole or anything. Google might fix this by for example only giving a temporary per-domain permission and not a permanent one, even if the user says that Chrome should trust the domain.

This is kind of on the level of a "security problem" where you give your password to an untrustworthy website. Where to draw the line, and how?

Edited by Northgrove, Jan 23 2014, 1:32pm :

Northgrove said,
You must not even have read the article. That comment is off topic.

Read the 2nd to last line of the article.

yeah but if you use chrome in corporate environment and happen to brows to site which has these "hidden banners and pop-up windows" and just listen to what's going on in some random CEO's room.. such secure, much paranoia, wow

So basically.. the issue is that you allow access to the entire site for the duration of it being up. And what happens is that site could create a pop-under ad that you don't see? Don't you have to allow ads for that to happen?

I mean.. I guess I could see the exploit.. but it's not a code issue per-se, it's more of a range issue. The issue is that it is allowed on a site level, not a per-tab/per-window level.

I am sure glad Google is the only one who doesnt release fixes in a timely manner......*coughapplecough* *coughmicrosoftcough*

Edited by techbeck, Jan 23 2014, 12:35pm :

Wow this article is seriously misleading. Tal Ater (the person who found the bug) said repeatedly that this attack only works with chrome running whereas the article states " Ater says malicious sites can continue to listen even after the user has closed the browser". That's a flat out lie and shabby reporting. Poor show Neowin.

deadonthefloor said,

I can't imagine it being that hard to hide a window from the shell.

Unless there's an exploit that you know about then it is not possible to create a hidden a browser window from within a web page. In fact you can't create a window smaller than 100px or outside of the visible area of the screen.

End of the month already? Oh Yup! Get that Google article up cause we need that ad revenue to pay the bills!!!

This exploit is so minor because it requires first the users approval. If the user does not want to allow sites access to the microphone, simply do not approve it...

Commenting is disabled on this article.