Google Chrome bug allows sites to listen users private conversations

Web developers Tal Ater discovered a Google Chrome Bug that allows websites to listen to user private conversations. Google still hasn’t patched it!

Google Chrome is one of the most diffused browsers, it has an excellent reputation in terms of security, usability and performance but it is wrong to consider it as perfect.

As any other software, also Google Chrome is affected by numerous flaws, more or less serious and in this post I will present a scary vulnerability that raises serious concerns regarding the user’s privacy.

Google Chrome implements a “Voice Recognition” feature that allows users to dictate text instead typing it, a user-friendly functionality that allow to perform web searches, to set reminders and quick conversions. The embarrassing problem is that the feature could be abused to spy on individuals.

Web developers Tal Ater discovered that the vulnerability in Google Chrome while he was working on Annyang, a tiny javascript library that lets website’s visitors control a site with voice commands. The vulnerability that can be exploited and lets malicious websites use Google Chrome as a bug to spy on the surrounding environment, even after victims has left those sites.

Every time a user visits a website that allows speech recognition feature, Google Chrome asks permission to enable microphone. Once accepted the browsers displays an icon in the notification area to notify users of microphone status (turned-on/turned-off).

This feature could be easily abused to deceive users, it is enough that the malicious web site lets visitor to enable voice control for any legitimate purpose, while silently  open a pop-under window disguised as an ordinary ad, to keep the microphone turned on.

The web developer published also a video Proof of Concept on how to exploit the Google Chrome vulnerability.

As long as it remains open, the attacker is able to capture through the microphone every noise in the surrounding environment and update the recorded audio to a remote server in a stealthy way.

“Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again.” The behavior is quite similar also for HTTPS website as explained by Tal Atar in the blog post.

Tal Atar  reported the flaw to the Google security team in late September, 2013, they recognized the flaw, but Google never released a fix for its product, leaving users vulnerable and this is very worrying in my opinion.

Several weeks passed after the notification of the bug to Google, a month and a half later the developer asked Google why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behavior.

“Nothing is decided yet.”

It’s incredible that today the flaw is still in the popular browser, Google is still waiting for the Standards group to agree on the best course of action, but the web’s standards organization, the W3C, has already defined the correct behavior which would’ve prevented this (refer specification for the Web Speech API, released in October 2012).

“We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.” said a Google spokesperson after the public release of POC.

If you are interested in the exploit, its full code is available on GitHub.

Pierluigi Paganini

(Security Affairs –  Google Chrome, hacking)