Google Chrome bug allegedly allows attackers to eavesdrop and record your voice

An alarming bug has been discovered in Google Chrome that could allow attackers to surreptitiously record your voice and everything around you. Israeli web developer and entrepreneur Tal Ater discovered the problem last September while working on a JavaScript speech recognition project. After seeing no concrete action from Google to fix the problem, he has now posted proof to his personal website.

According to Ater's description, the flaw is possible because of the way different parts of Chrome were designed. While there is a clear indication to users on the tab bar when a website has activated your PC's mic or camera, there is no way to display such a notification on popup windows. Thus a website which has been granted permission to use your microphone (such as Google's own homepage, when voice search is enabled) can quietly spawn popups in the background which will inherit the permission but not display any indication that they are recording you.

Websites could thus be compromised, and a user might never know that a pop-under page has opened behind their open browser window. A user would have no way to know such a window is open, and it could be disguised as just another ad.

Compounding the problem, Chrome remembers permissions granted to pages that use the HTTPS protocol, trusting them to be secure. Thus, users aren't even asked to confirm whether they would like to allow a page to activate the mic.

Ater says he contacted Google on September 13 2013 and was informed less than a week later that the root causes problem had been identified. Five days after that, a patch had been developed. Ater says he was nominated for a reward under a Google scheme that pays up to $30,000 (approximately Rs. 18,72,300) to ethical developers who discover and report such bugs.

However the patch was never released to the public or applied to future releases of Chrome. Ater claims that Google does not believe that there is anything wrong with the way Chrome behaves. In a statement to UK news site The Register, Google said, "The feature is in compliance with the current W3C specification, and we continue to work on improvements."

We attempted to recreate the problem and confirmed that Chrome tabs with voice input enabled do display a pulsing red dot in the tab bar, but do not cut off the microphone when the user switches to another tab or program. We were prompted for permission the first time we used a voice input feature on any website, but not on subsequent uses. Furthermore, there is no indication outside of Chrome that anything is being recorded. This means that background windows are indeed capable of recording a user's voice and surroundings without his or her knowledge.