Chrome browser may be listening in (but don't burn your mic yet)

Google's Chrome browser is under fire after speech recognition researchers identified a vulnerability that allows websites to clandestinely record users through their computer's microphone, though some have questioned quite how serious the exploit actually is. Google has known about – and even had a working fix – the flaw for four months, Tal Ater claims, but for the moment sites that are given permission to access the user's microphone can go on recording from it even after the primary tab is closed.

That, Ater says, is because of the way Google's indicators for microphone access being active work. The system as it's meant to operate sees an icon for speech recognition shown, which then disappears when the tab is closed; however, Ater points out, if a malicious site admin also has a pop-under window launch, that window can continue recording – or even trigger a new recording session, if Chrome has been told to trust the recognition functionality – without any noticeable sign of that.

"This window can wait until the main site is closed, and then start listening in without asking for permission" Ater says. "This can be done in a window that you never saw, never interacted with, and probably didn't even know was there."

Pop-under windows also don't have the same audio indicator as regular Chrome tabs, the researcher highlights, in what he says is another likely contributing factor to the user remaining unaware that their speech is being monitored.

Google apparently cooked up a fix for the flaw back in September 2013, but its release is said to have been hamstrung by internal indecision.

However, it's questionable whether the issue Ater has documented is quite as serious for most users as he suggests, given it requires a "perfect storm" of sorts to actually take place. For instance, Chrome blocks pop-ups by default, which would mean that a user would have to have first either enabled permission for all pop-ups, or specifically allowed one to be loaded by a potentially dangerous site.

VIA Ars Technica