Google Chrome Bug Could Allow Websites To Snoop On Conversations

A security flaw in the world's most popular Web browser allows any site to read transcripts of nearby speech

 @tommylikeyt.halleck@ibtimes.com
on April 10 2014 3:36 PM
  • People check their laptops and mobile devices in London
    People check their laptops and mobile devices in London October 26, 2011. REUTERS
  • google chrome security flaw bug virus hack voice speech microphone recognition
    A flaw in Google's popular Chrome browser allows any website to hack into its speech recognition software and access a transcript of anything spoken within range of the computer's microphone. Above, Google's head of Chrome, Sundar Pichai, discusses the browser onstage at the company's annual I/O conference in Mountain View, Calif. Reuters
  • google chrome browser bug listening speech voice microphone hack security flaw
    Google Chrome can access your computer's microphone to enable voice searches and Google Now functionality, but an Israel-based developer has found a security flaw that allows Websites to record text transcripts of any conversation in range of your computer's microphone. Google
1 of 3

A security flaw in Google Chrome, currently the world's most popular Web browser, could allow a hacker to turn on a user's computer microphone and secretly obtain a Chrome-generated transcript of the user's conversations, according to an Israel-based software developer who highlighted the flaw in a blog post this week.

The developer, Guy Aharonovsky, told International Business Times he found the defect in Chrome while experimenting with a voice recognition feature in the browser. He said he reported the problem to Google through its Chromium bug tracker, but the company’s developers designated it “low-severity,” which meant they didn't view it as a top priority and offered no immediate fix. Google did investigate the problem, he said, but only after he submitted a blog post about it to Reddit, a popular socially driven news site.

“Google, [like] all developers, [has] a tendency to dismiss the not-so-obvious security bugs,” Aharonovsky said.

A Google spokesperson confirmed the existence of the vulnerability on Wednesday. “Our security team is actively investigating this issue,” Google said in an email to IBTimes.

The security flaw in the Chrome browser emerges just as the world is confronting the frightening prospect of a similarly long-existant, but previously undetected bug known as Heartbleed, that makes millions of passwords across the Web vulnerable to theft.

The spokesperson refused to comment on Aharonovsky’s claim that it downplayed the security flaw until his post gained attention online. "As of right now, we have no further comment other than the one we provided in our first email," Google said.  

While there's no evidence of any Chrome user harmed by the vulnerability, the security flaw's potential damage is significant. Chrome serves more than half of the world's Web traffic, and with just one click on a malicious Web page, a user could unwittingly allow that website to obtain a text transcript of any conversation near the computer, via the user's computer microphone. 

While most hackers target victims by enticing them to download a virus or malware file, this bug only requires a Chrome user to visit a Website that's designed to exploit this vulnerability.

Google told IBTimes that a software feature in the browser generates the text from a user’s voice, which is recorded by a computer microphone. Google said recorded text files contain “much less information” than audio files, and if no sound is detected for eight seconds after the last mouse click, the feature turns itself off.

Aharonovsky created a simple demonstration to show how the bug could work. In it, computer users are asked to use a mouse to drag and drop “seeds” onto the ground to grow a tree, increasing the likelihood that a voice recording is activated every eight seconds. He said this feature works even if users block access to the computer microphone in Chrome’s security settings.

The spokesperson said Google could not say when an update with a fix for the security flaw will be available. 

“I do not believe [the vulnerability] will be dismissed at this point,” Aharonovsky said. “It seems like they started to look for a way to quickly mitigate this flaw.”

Follow Reporter Thomas Halleck on Twitter

Share this article