Google Chrome Bug Allows Hackers to Record Voice

Google Chrome

A bug found in Google Chrome allows hackers to eavesdrop on conversations and record a person’s voice. The bug was spotted in September 2013, but has only just been brought to light to the public.

Tal Ater, an Israeli entrepreneur and web developer, found the bug on the web browser by chance. He was developing a speech recognition program using the Javascript programming language, in September.  As soon as he found the issue, he alerted Google. However, the tech giant failed to do anything to fix it and Ater decided it was time to inform the public. He did so through his own website, sharing a video to show the bug in action.

Ater explained the problem arises due to the way different parts of Google Chrome have been developed. When a webpage is using the microphone or camera on the computer, a small red dot appears on the tabs. This indicates that the page has permission to access the components. However, this doesn’t happen on pop-up pages. An attacker will be able to create pop-ups that have access to the microphone, without anybody noticing.

Pop-under web pages are becoming more popular, which appear behind the open page. This causes more of a danger with this security weakness. Users will not know that there is another page open, let alone that that page is recording their voices. These windows can also be viewed as banners, making it even harder to tell if they are recording anything.

Many would think the request for permission would help solve this issue, but Chrome has the ability to remember permissions that have been previously given. There would be no need for Google Chrome to ask again and the microphone is automatically activated, so the bug allows hackers to record voice communications easily.

Ater informed Google as soon as possible, and the tech giant originally thanked him and even nominated him for a prize for his diligence. According to the company, a patch had been developed after programmers found the root of the bug. However, that patch has never been applied to browser updates and people have not been given the option to download the patch.

He did return to the Google team, a month and a half later, to find out why the patch had not yet been applied. The team responded with comments about the Standards Group still discussing the issue. The group is still debating and discussing the proper way to handle this, while the browser remains vulnerable to attacks.

According to Google, there are other ways to tell if a website is using the microphone or camera, which are visible in pop-up windows. The OS X status menu or Windows system tray will alert a person when the components are in use or a browser window has permission for them. The tech giant also defends its actions by stating the security is to W3C specifications.

Ater believes it is a major security concern, but Google seem to think otherwise. NDTV tried to replicate the problem and succeeded, highlighting the issue of the Google Chrome bug that allows hackers to record voice communications.

By Alexandria Ingham


Tal Ater
The Register

You must be logged in to post a comment Login