New Google Chrome bug allows eavesdropping on conversation

Security Blogger Guya discovered a new Google Chrome eavesdropping bug that allows websites to listen to user private conversations.

A second security eavesdropping flaw has been found in Google Chrome browser, a security blogger named Guya has made the alarming discovery. The security blogger discovered that an attacker exploiting the vulnerability in Google Chrome could transform the victim’s machine into a cyber spying tool.

The flaw is very alarming due the large audience of Google Chrome which is the second most popular web browser in the world. Guya immediately reported the problem to Google company and he is still waiting for its reply. Similar bugs represent a serious menace for user’s privacy which has yet to comment.

 

In January web developers Tal Ater discovered a Google Chrome bug that allows websites to listen to user private conversations abusing the speech recognition feature which need a microphone enabling.

“The first feature could be easily abused to deceive users, it is enough that the malicious web site lets visitor to enable voice control for any legitimate purpose, while silently open a pop-under window disguised as an ordinary ad, to keep the microphone turned on.”

The new eavesdropping bug is found in Google Chrome, as explained by Guya, attackers could exploit a deprecated speech API known as “x-webkit-speech” to run in the background without providing any indication to the Chrome user that its microphone is active.

“Before this fine API we currently have, Google experimented with an earlier version of the API. It works quite the same, the main difference is that the older API doesn’t work continuously and needs to start after every sentence. Still, it’s powerful enough and it has some flaws that enable it to be abused. I believe this API was introduced with Chrome 11 and I have a good reason to believe it was flawed since than.”

Guya demonstrated that it is quite easy to exploit the eavesdropping flaw, it is enough to add a single line of code to a website to exploit the bug and obtain the access to the audio stream from the victim’s computer.

“There is absolutely no indication that anything is going on. There are no other windows or tabs, and [not] some kind of hidden popup or pop-under. The user will never know this website is eavesdropping.”  said Guya, 

Guya remarked that any indication of microphone activity can be set to appear on the edge of the screen or worse, it could be totally covered with dummy images or other page elements.

“In Chrome all one need in order to access the user’s speech is to use this line of HTML5code:

<input -x-webkit-speech />

That’s all; there will be no fancy confirmation screens. When the user clicks on that little grey microphone he will be recorded. The user will see the “indication box” telling him to “Speak now” but that can be pushed out of the screen and / or obfuscated.” reports Guya. 

The researcher provided a POV for the bug exploitation.

Pierluigi Paganini

(Security Affairs –  Google Chrome, eavesdropping)