Tech
Sundar Pichai, senior vice president of Google Chrome, speaks during Google I/O Conference at Moscone Center in San Francisco, California June 28, 2012. REUTERS/Stephen Lam (UNITED STATES - Tags: BUSINESS SCIENCE TECHNOLOGY) - RTR34B4Y Sundar Pichai, senior vice president of Google Chrome, speaks during Google I/O Conference at Moscone Center in San Francisco, California June 28, 2012. REUTERS/Stephen Lam (UNITED STATES - Tags: BUSINESS SCIENCE TECHNOLOGY) - RTR34B4Y  

Bugs in Google Chrome let websites listen to your conversations

Giuseppe Macri
Tech Editor

Google’s popular Chrome search engine might be doing more than helping you find websites — it might be helping websites find and listen to you through the microphone in your computer.

TalAter.com reports the search engine’s voice recognition functionality can be compromised by websites that allow Chrome users to navigate their site via voice.

The problem is once you give Chrome permission, the websites you’ve visited retain that permission — even if you’re not on the site, allowing them to tap into your computer’s onboard microphone and listen in at any time.

Any site operator that chooses to adopt Chrome’s speech recognition ability and buy a $5 HTTPS security certificate will have the ability to hack visitors’ microphones. Typically when a user visits a site, they have to manually allow voice recognition, after which Chrome will display a visual indicator telling users the function is live.

What users won’t see is the secret window sites can immediately open up after voice recognition is activated, which stays open and under the control of the site even after the user manually disables the function, thanks to bugs in the search engine’s programming.

A speech recognition library maintainer discovered the bugs and reported them almost four months ago to Google’s security team, which subsequently fixed them two weeks later but never released the update to the public because of an “ongoing discussion” within the “Standards group.”

According to the maintainer, web standards organization W3C outlined behavior that would have corrected any such problem as far back as October 2012.

The source code for the bug is posted on GitHub, and a video showing the exploit in action was uploaded to YouTube Wednesday.

Watch:

Follow Giuseppe on Twitter