A security flaw in Google Chrome, currently the world's most popular Web browser, could allow a hacker to turn on a user's computer microphone and secretly obtain a Chrome-generated transcript of the user's conversations, according to an Israel-based software developer who highlighted the flaw in a blog post this week.
The developer, Guy Aharonovsky, told International Business Times he found the defect in Chrome while experimenting with a voice recognition feature in the browser. He said he reported the problem to Google through its Chromium bug tracker, but the company’s developers designated it “low-severity,” which meant they didn't view it as a top priority and offered no immediate fix. Google did investigate the problem, he said, but only after he submitted a blog post about it to Reddit, a popular socially driven news site.
“Google, [like] all developers, [has] a tendency to dismiss the not-so-obvious security bugs,” Aharonovsky said.
A Google spokesperson confirmed the existence of the vulnerability on Wednesday. “Our security team is actively investigating this issue,” Google said in an email to IBTimes.
The security flaw in the Chrome browser emerges just as the world is confronting the frightening prospect of a similarly long-existant, but previously undetected bug known as Heartbleed, that makes millions of passwords across the Web vulnerable to theft.
The spokesperson refused to comment on Aharonovsky’s claim that it downplayed the security flaw until his post gained attention online. "As of right now, we have no further comment other than the one we provided in our first email," Google said.
While there's no evidence of any Chrome user harmed by the vulnerability, the security flaw's potential damage is significant. Chrome serves more than half of the world's Web traffic, and with just one click on a malicious Web page, a user could unwittingly allow that website to obtain a text transcript of any conversation near the computer, via the user's computer microphone.
While most hackers target victims by enticing them to download a virus or malware file, this bug only requires a Chrome user to visit a Website that's designed to exploit this vulnerability.
Google told IBTimes that a software feature in the browser generates the text from a user’s voice, which is recorded by a computer microphone. Google said recorded text files contain “much less information” than audio files, and if no sound is detected for eight seconds after the last mouse click, the feature turns itself off.
Aharonovsky created a simple demonstration to show how the bug could work. In it, computer users are asked to use a mouse to drag and drop “seeds” onto the ground to grow a tree, increasing the likelihood that a voice recording is activated every eight seconds. He said this feature works even if users block access to the computer microphone in Chrome’s security settings.
The spokesperson said Google could not say when an update with a fix for the security flaw will be available.
“I do not believe [the vulnerability] will be dismissed at this point,” Aharonovsky said. “It seems like they started to look for a way to quickly mitigate this flaw.”
Follow Reporter Thomas Halleck on Twitter.