Sound the alarm, because if you visit voice-controlled websites using Google Chrome, you’ll want to pay attention here because your computer’s microphone could be used against you.
All a malicious website needs is to get you to activate voice control for any legitimate purpose and it can potentially access your computer’s microphone well after you’ve navigated away from the site you were using. The bug was discovered by tech guru Tal Ater, an Israeli programmer, who publicly disclosed the Google flaw on his website Wednesday.
According to Ater, “Even while not using your computer — conversations, meetings and phone calls next to your computer may be recorded and compromised.”
He goes on to explain via a video on his website, “What you see here essentially turns Google Chrome into an espionage tool that compromises your privacy in your office or your home, even when you’re not using your computer.”
Ater said he discovered the glitch while working on “annyang,” a popular JavaScript Speech Recognition library.
Chrome users can guarantee nasty websites can’t access to their microphones by refusing to grant them access in the first place, which all websites must request. They can see which sites they have given permission in a six-step process: click the Chrome menu; click “settings”; click “show advanced settings”; click “content settings” under “privacy”; click “manage exceptions” under “media”; view the list and rescind permission if desired.
Ater goes on to explain most sites that use speech recognition software choose to use secure ‘https’ connections. He says this doesn’t mean the site is safe. Instead, that just means the owner bought a security certificate. If you grant an https-secured site permission to use your microphone, Google Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again.
“This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can’t start listening to you in background windows that are hidden to you,” he goes on to say. “When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden pop-under window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.”
So why hasn’t the problem been fixed yet?
«The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements,» a Google representative said in a statement, according to the website Tech Times.
Not much of an explanation for why they haven’t fixed it, really, so if you use voice-activated features on your devices, beware and be cautious.