As you may already know, Chrome was made to support voice input earlier this year, and there are already websites out there that offer speech recognition for interested users.
In order to do so, the website explicitly asks users permission to use their computer's microphone. If they allow it, the fact that the site now has access to it is explicitly indicated in the browser (blinking red light). Finally, when they close the site, Chrome automatically stops listening.
But Ater points out that the functionality can be misused by malicious actors:
Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesnít mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site canít start listening to you in background windows that are hidden to you.
When you click the button to start or stop the speech recognition on the site, what you wonít notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didnít even know was there.
To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that Speech Recognition is turned on in such windows - only in regular Chrome tabs.
But the fix was not released. When he asked what the holdup was, they answered that they are still debating with the W3C (World Wide Web Consortium) whether it should be released.
Four months later, the decision is still to be made, so Ater decided to reveal the existence of these flaws and to provide the source code for the exploit to the public, in the hope that this will prompt Google to finally do something about it.
Google has now responded by saying that "the feature is in compliance with the current W3C specification," and that they continue to work on improvements. Unofficially, a source inside the company has said that they are working on making it more obvious to users when a site has access to the microphone.
The good news is any Chrome user can change the browser's settings to prevent websites from spying on them in this way (Settings > Show advanced settings > Content Settings > select: Do not allow sites to access my camera and microphone).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.