Date: Thursday, January 23rd, 2014, 08:37
Category: Announcement, Google, Hack, Opinion, privacy, security, Software, Websites
As if people were not paranoid enough about the amount of data Google captures about them, a recently discovered bug in Google’s Chrome web browser can now capture everything you say in front of your computer without you even knowing about it. And here is the kicker…it’s probably not even Google who is after your voice, it’s random hackers taking advantage of the exploit. According to developer Tal Ater, who discovered the exploit, the bug allows a malicious web site to open another browser window (just like a pop-up ad) behind the main window which continues to record your voice -even after you’ve closed the original site window- and sends the recorded data first through Google for processing, and then on to wherever the hacker wants.
As explained on Tal’s web site, however, this can’t affect you unless you give Chrome access to your microphone, which Chrome will ask for any time it loads a site using Google’s voice API for Chrome. What is even more disturbing is Google’s response to the bug. As Tal reports;
“I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.)
Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report.
I was ecstatic. The system works.
But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour – “Nothing is decided yet.””
-blink- -blink- Um, wouldn’t the correct behavior be to fix the exploit?! (by the way Google, the answer is “YES”) Over at Gizmodo, they reported that Google has responded to their inquiry on this issue with the following statement;
“The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.”
So as far as they are concerned, there isn’t a problem. I bet the NSA is happy to hear that (haha jk NSA folks…ha..ahem). Gizmodo also mentions that Google has modified pop-under behavior, and is looking into alternative visual indicators for showing when a website is recording to help let users know when their microphone is actively recording them through Chrome. Frankly, I think this is complete negligence on the part of Google. It’s their browser, their feature, and their responsibility to ensure it works properly without compromising users’ privacy and security, or else remove it entirely. The only advice I can offer is to NEVER USE THIS FEATURE IN CHROME…EVER. Rest assured I won’t be using it unless I see some proof that this exploit has been completely boarded up. I’d say never use Chrome, but even I can’t abide by that 100%.