Chrome Bug Allow Websites to Eavesdrop on You

Google has created a speech-recognition Application Programming Interface (API) that allows websites to interact with Google Chrome and the computer’s microphone allows you to speak instead of typing into any text box, to make hands-free web searches, quick conversions, and audio translator also work with them.

In January, a flaw was discovered in Google Chrome that enabled malicious websites with speech recognition software to eavesdrop on users’ conversations from background without their knowledge using an outdated Google speech API.

A new similar vulnerability in Google Chrome has been discovered by Israeli security researcher, Guy Aharonovsky, claimed that the Chrome’s speech-recognition API has a vulnerability that allows attackers to turn victim's machine into a listening port without asking for any permission, even if your microphone is completely disabled.

"Even blocking any access to the microphone under chrome://settings/content will not remedy this flaw." he said in a blog post.

[adsense size='1']

Reported vulnerability exploits the “-x-webkit-speech” feature of Chrome’s speech-recognition API and allows a malicious web application to eavesdrop in the background without any indication to the user that their microphone is enabled.

He has also published a Proof-of-Concept webpage and a video demonstration, designed to work on Chrome for Mac operating system, but the exploit only works for Chrome for any operating system.

In demonstration, he has used HTML5 full screen feature to the indication box.

“In Chrome all one need in order to access the user’s speech is to use this line of HTML5 code: <input -x-webkit-speech="" /> that’s all; there will be no fancy confirmation screens. When the user clicks on that little grey microphone he will be recorded. The user will see the ‘indication box’ telling him to “Speak now” but that can be pushed out of the screen and / or obfuscated.”

[adsense size='1']

He has reported the flaw to Google via Chromium bug tracker. They confirmed the existence of the vulnerability, but assigned it 'low' severity level, that means Google will not offer any immediate fix for this flaw.