Chrome Bugs Lets Sites Listen To Your Private Conversations

An anonymous reader writes "Last year Google rolled out a new feature for the desktop version of Chrome that enabled support for voice recognition directly into the browser. In September, a developer named Tal Ater found a bug that would allow a malicious site to record through your microphone even after you'd told it to stop. Quoting: 'When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can't start listening to you in background windows that are hidden to you. When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there.' Ater reported this to Google in September, and they had a fix ready a few days later. But they haven't rolled it out yet — they can't decide whether or not it's the proper way to block this behavior. Thus: the exploit remains. Ater has published the source code for the exploit to encourage Google to fix it."

Fixeds thats

Chromes Bugs' Lets' Sites' Listens Tos Yours Privates Conversations'

Re:Fixeds thats

[vlueboy]

Linguo dead?

Re:Fixeds thats

[yanyan]

Toki Wartooth http://en.wikipedia.org/wiki/Toki_Wartooth#Toki_Wartooth/

Re:Fixeds thats

[koan]

das dildos,...

Re:Fixeds thats

Whats mys privates has tos says is nots yours businesses.

2014

[DarkOx]

Why in 2014 does any self respecting browser allow pop-ups or pop-unders without explicit permission?

Security issues aside there is almost nothing quite so irritating as a website opening additional windows except in the rare list of exceptions most of us are quite used to manually keeping.

Re:2014

[zacherynuk]

I don't quite understand why auto popups like Livejasmin or 888casino can be allowed to popunder (I find them on client machines all the time) but when ever I ask one of my firewall to display me a log, update firmware or whatever (sophos & pfsense) the browser blocks it. I 'king clicked a button and the browser blocks it. Users do apparently 'nothing' and gambling and porn appear.

That said, uninstalling Chrome Browser and returning to firefox has been a great release.

Re:2014

[cheater512]

They do something. They click on the page.

Popups are allowed from a valid onclick event so the ads put a onclick event on the entire page.

Re:2014

The problem is that Javascript specifically allows developers to hook directly into button actions: after all it wouldn't be a whole lot of use to display dialogs to users if you then couldn't handle the subsequent action.

Of course the problem is that a web page can hook a legitimate button (like, say, "Show me the porn!") and add an action, like opening a new window. There's no way for the browser to know if that wasn't a legitimate request by the user, so you get LiveJasmin.com and such.

The real question is: why do browser still allow windows to pop under? There's literally no legitimate use for it.

Re:2014

[ackthpt]

I don't quite understand why auto popups like Livejasmin or 888casino can be allowed to popunder (I find them on client machines all the time) but when ever I ask one of my firewall to display me a log, update firmware or whatever (sophos & pfsense) the browser blocks it. I 'king clicked a button and the browser blocks it. Users do apparently 'nothing' and gambling and porn appear.

That said, uninstalling Chrome Browser and returning to firefox has been a great release.

I've had to return to Firefox just to get away from recent bugs in Chrome. Chrome as a pretty good browser in its time, but it's heading towards the shark on greased water skis.

Re:2014

[zacherynuk]

Indeed; never mind the rest I can't believe in 2014 a browser won't allow you to select text at usable rate!

Firefox with noscript and ghostery is a joy to use in comparison (though it doesn't handle memory / scrolling very well with large pictures - even on an i7 with 24GB ram and twin GTX 690's) Add adblock on a firewall like untangle and even the tablets and phones in the house can get a decent internet boost.

Re:2014

[s.petry]

I think it's prudent to question whether this bug in Google's browser is intentional or unintentional. The list of underhanded and outright shitty things we know about being done is pretty long.

If I bump into a person and it seems like an accident I can get away with apologizing. When I do it a second time, the apology should be taken with a grain of salt. When it happens a third time the person has the right to believe it was intentional and react. This is the point we should be at with not just the NSA and Google, but Politicians, Microsoft, RSA, etc.. Continuing to believe that everything is a friendly accident is delusional.

Re:2014

[viperidaenz]

Because the 888casino popup was triggered directly from a user action. You may have clicked something or pressed a button.
Like when you go to thepiratebay, no popups come up until you click in the search box.

Your firewall must be doing it a different way.

Re:2014

[lgw]

: after all it wouldn't be a whole lot of use to display dialogs to users if you then couldn't handle the subsequent action.

Web pages don't need dialogs in separate windows. Seriously, they don't. That's an old-school UI concept dragged to an inappropriate place. You can present a dialog within the page, in a variety of ways. And if you really need to open a separate, permanent window, that's a new tab, and only if the user has explicitly granted permission for such.

There's simply no legitimate requirement for a web browser to ever open another desktop UI window - render what you need to within the tabs you present.

Re:2014

[vlueboy]

They do something. They click on the page.

Popups are allowed from a valid onclick event so the ads put a onclick event on the entire page.

Not the whole story. Internet Explorer, that ol' browser none of us use when idle, is pretty aggressive blocking even onclick.
It makes little sense that it's a default setting, and I can't recall.
My first sense that browsers were in bed with the bad guys was 10+ years ago. I found some alt browser that expressly allowed me to block annoying behaviors:
* scripted window movement and resizing
* status bar text changes (crudely obfuscating hover text when you want to see where you'll land)
* hide the menu bar, navigation bar and url so as to give a small HTML window popup (so you can't tell what url it loaded, how to turn back without keyboard [obscure to Joe Sixpack], and what domains to ban)

All three of those may have had true uses before web 2.0 during your banking or e-commerce session. But today, css and floating divs can be used to blur the window selectively as to highlight the necessary context. They are vestiges that are not needed by legit sites, and yet are overused by sneaky sites. Browsers phased out blink tags, http + https iframe mix, urlbar javascript execution and other stuff, but don't get rid of pop unders, even as an option somewhere? intentional

Re:2014

[mrbluze]

I think it's prudent to question whether this bug in Google's browser is intentional or unintentional.

I think it is safe to assume, for any verbal discussion of importance, that all smart phones in the room have their microphones on with voice recognition running. Sure, most of the time they are not, but:

1. They are the perfect bugging tool.

2. The person you are talking to might be recording everything anyway

and 3. if you are in any kind of position that could possibly be envied, someone is bound to be doing this to you.

Re:2014

[sexconker]

The real question is: why do browser still allow windows to pop under? There's literally no legitimate use for it.

Site satisfaction surveys typically pop under so that when you close the main window you see the site satisfaction survey, it refreshes, and asks you shit about your visit.
Same for a ton of those "eLearning" shits that make you sit through a video, click through pages of shit you're pretending to read, etc. while timing you, tracking your clicks and progress, etc. Often used for employer-mandated training sessions on shit like how not to rape people at work or how to properly walk so you don't trip and sue.

Re:2014

[ozmanjusri]

I think it's prudent to question whether this bug in Google's browser is intentional or unintentional.

Chromium is open source. If this behavior exists in both Chrome and Chromium, then it's a bug, or most likely an unintended consequence.

If it's only in Chrome, you're right, it'd be a very good idea to question Google's actions.

Re:2014

Because just as with all other Google services, YOU are product being sold to advertisers.

Re:2014

[zacherynuk]

I asked a forum dev-mod if he could add an option on a new forum (Oculus Rift) a while back if we could at least have an option to open external links (outside of the current forum) in new tabs with a left click. The majority of the research and tech forums (especially) I frequent have this as an option - it just make sense, somebody posts a reference link and you want to look at it without losing your place in the current thread, indeed if it's a picture or diagram having it load up whilst you continue reading is a bonus. I was shot down - apparently I am lazy for not middle clicking or right clicking on such links, citing that such programming practice is deemed unacceptable behavior as people don't like new tabs or windows. Which struck me as strange.

Middle or right clicking on a tablet is a PITA. Especially if a post or thread contains mostly links to external reference content.

Perhaps the pop and popunder is more a human decision than a logical one, and therefore a target for nefarious manipulation. So the extreme unwanted popunder must exist purely for nefarious purposes, shirly ?

Re:2014

[vlueboy]

The alt browser with the restriction options I mentioned was either iCab or Opera, btw.
-vlueboy

Re:2014

[s.petry]

The bug being introduced in both does not show that it was not intentional. Google developers probably spend a lot of time working on the OSS version. For example, HP WebOS was open source. HP had several dozen developers working on the OSS source full time in addition to many dozens of other staff for the OSS software.

Re:2014

[perryizgr8]

that your tablet browser doesn't support middle click or right click elegantly, is your tablet browser's bug. website designers should not be expected to cater to every stupid tablet limitation.

Re:2014

While you might like this behaviour, I know plenty of sites where this just annoys me, as I usually want to consciously decide if I want a new tab or not. On a tablet I find this even more annoying, as the stock browser has a limited number of tabs.

The issue with opening a new tab by default is that there is no way to not open a new tab in that case that I am aware of, but the other way around it exists, thereby keeping the options.

Re:2014

[hairyfeet]

Well one of the nice things about Chrome being based on FOSS Chromium is you DO have choices, there is Dragon,SWIron,Chromium, just as with FF you have IceDragon,Kmeleon CCF ME, Seamonkey, Pale Moon, you don't have to just choose between FF and Chrome, there is a world of choices out there. hell if you want to get away from Chromium and gecko completely there is QTWeb which is just what it sounds like,Webkit with a QT UI. Its pretty nice,built in ABP and cross platform.

That said what keeps me from giving anything Gecko based like FF to my customers is the simple fact that 7 fricking years after it was first released Firefox STILL doesn't support Low Rights Mode which is not just dumb, in this age of zero days its downright reckless. I mean its 2014 and Gecko STILL runs with the same rights as the user, WTF? browsers are the #1 attack vector by a country mile, they should always run with the lowest permissions possible!

So if you are looking at a browser with an eye to security you should be looking at something that uses the Chromium engine. Personally I've found that running the browser in low rights mode dropped infections in my customer's PCs right off the map, but running without LRM they ended up with bugs like the Yahoo Porn Bug and hidden iFrame tricks that just didn't seem to affect any browser running LRM. Kinda sad that IE runs in LRM, Chromium had support less than 6 months after its release, FF still don't.

Re:2014

[AmiMoJo]

I found some alt browser that expressly allowed me to block annoying behaviors:
* scripted window movement and resizing
* status bar text changes (crudely obfuscating hover text when you want to see where you'll land)
* hide the menu bar, navigation bar and url so as to give a small HTML window popup

Firefox used to have options to do all that, but they were removed. No Javascript simply can't hide the URL bar or move windows (it can select where to open them, within some limits).

Re:2014

Web designers have no business deciding where links open in my browser. That's my job. Any link that opens a new tab--or worse, is a javascript call that can't be opened in a new tab--is a strike against your site.

Re: 2014

[xombo]

Technically, target="_blank" is deprecated as-of HTML 5.

Re: 2014

[xombo]

One advantage of Microsoft standardizing on the metro interface is that popups and dialogues will become a thing of the past.

Re: 2014

[lgw]

Hmmm, I can't immediately spot the flaw in your claim, but since I take it on faith that nothing good can come from Metro, that just means I'm not looking hard enough. ;)

Re:2014

Another intentionally ignored annoyance:

JS popups designed to make it near-impossible to leave a page. They're exclusively used by pushy salesmen and hackers.
The JS popup may say "Don't close this window. OK , Cancel" and neither action will close it, basically forcing most users to log off Windows if they want to continue using the browser*. I had a crypto virus attempt this way just last night after hopping on IE. IE maps all exit events to trigger the exit JS, so hitting the X button, ALT-F4, right-clicking to pick close, trying to trigger Windows 7's new "Close all windows" macro, and even some rudimentary Taskkill won't obey me because that script just HAS more priority than my frantic clicking. Given that iexplore.exe uses multiple processes now, I had to randomly kill a few Flash instances and then IE.exes. Followed by a much delayed thorough AV check from the obvious window-kill fumbling.

What I'd like is a PANIC! button for those sites to kill ALL browser windows
stop all JS
optimally, stop executing any processes forked off IE / Java / flash filesystem interactions

Firefox already has an popup inhibitor catching m JS popup attempts per n seconds, but IE9 is still affected. Haven't checked in 10 and 11.

* This is a DoS attack for your other browser windows. Since UAC's popup blocks everything and doesn't have a panic abort option, I'm surprised Windows malware has failed to massively use the "annoy the user till they hit 'Allow' tactic." Then again, most exploits I have seen after Vista bypass UAC via Java / Flash

Re:2014

The JS popup may say "Don't close this window. OK , Cancel" and neither action will close it, basically forcing most users to log off Windows if they want to continue using the browser*. I had a crypto virus attempt this way just last night after hopping on IE.

Forgot to mention that the page wanted my attention to its fake countdown giving me less than 48 hours to pay the ransom. They claimed my documents were already encrypted, which was fake.

Re:2014

I had a quick support chat with my ISP hours ago with further proof that load-bearing pop-unders are unnecessary. The chat had opened in a popup (un-necessary, but oh well...) and the End button wisely reused the popup for a 4 question survey, and it was a good feeling not seeing more random stuff to approve under NoScript.

It's O.K, I saw it.

what you won't notice is that the site may have also opened another hidden popunder window

I noticed it. Because I'm not an idiot and don't use a stupid OS that hides details like that from me.

Sucks if you are, though.

Yo Dawg

[FuzzNugget]

I herd u liked bugs...

Re:Yo Dawg

[weilawei]

It's not a bug; it's a *feature!

*Feature intended only for official government use. Unauthorized users will be penetrated to the full extent of gangrape.

Re:Yo Dawg

[Carnildo]

It's not a bug; it's a *feature!

No, this one is very definitely a bug.

Re:Yo Dawg

[viperidaenz]

It actually is a feature... The user explicitly gave the malicious website permission to use the mic until they explicitly revoke that permission. The problem is the malicious website didn't stop using them the user did something they thought would stop it, without revoking the permission.

No. Shit. Really?

Re:Yo Dawg

[gnupun]

Why don't laptops have a physical shutter so the user can block both camera and mic? I don't like these hackable electronic switches for mic and camera. And I have to wonder whether not having a physical shutter is a feature or a bug?

Re:Yo Dawg

[hairyfeet]

Mine does, its an Asus EEE 1215B netbook, but from what I've seen most of the Asus laptops have it as well. Its nice to be able to just look up and know with 100% certainty that the camera isn't doing squat, so maybe you should look at whether the camera has a shutter before you purchase?

surprise!

[Tom]

Giving microphone access to a complex piece of software that's primarily used to render, interpret and run code fetched from random places on the Internet... what could possibly go wrong?

Re:surprise!

Ummmm... someone hears me burp and fart and type?

Re:surprise!

[zacherynuk]

I thought this was a good one: "Xbox One Signout" "Xbox One Signout"

Re:surprise!

Don't worry, they'll be running native code plugins for performance soon, too. But I'm sure there's no way that anyone would find a single flaw in Google's hypervisor or anything.

Re:surprise!

What does that have to do with this story?

Re:surprise!

[zacherynuk]

What does that have to do with this story ?

Re:surprise!

[viperidaenz]

Because they're his private burps and farts!

Re:surprise!

a good one to try to troll xbox fans in a story about a google bug? yeah ... a little transparent though

Re:surprise!

[zacherynuk]

OK pal I'll bite. The story is about Chrome being ALWAYS ON and remembering previous HTTPS websites as trusted and not re-prompting for rights to access devices.

The post I replied to was a semi-sarcastic question about what could go wrong.

My reply was an (imho) funny example of what can go wrong when a system is always listening, unintentionally or otherwise ( a little bit similar to the title, and the post, wouldn't you agree?). And the example of was a damnsight less serious or scary than the possibilities.

So, I'll ask you again - "What does YOUR POST have to do with this story ?"

Re:surprise!

[jmhobrien]

It's news like this that makes me point my webcam at the wall when i'm not using it.

Re:surprise!

[Tom]

Loved this. And no, it's totally on topic, because it's the same thing. Voice-control active during gaming which includes team chat. Yeah, what could possibly go wrong? ;-)

(loved the girls reaction. she was the only one with enough cool to laugh about it)

Bugs in Chrome?!?

[ackthpt]

I mean, besides the few that were just rolled out? Seriously, it's getting more like IE* every day.

*The bad ol' IE, unlike the rather slow and inept IE of today, which probably still has lots of bugs, too.

Re:Bugs in Chrome?!?

[Bengie]

Chrome had a bug, stop the presses!

Re:Bugs in Chrome?!?

[mythosaz]

Part of Google's response (or lack of one) includes that this isn't so much a bug as a feature, and the feature is being misused.

If you authorize your microphone for evil.site, and evil.site opens another window, your microphone is still authorized for it -- because you (a) permanently authorized evil.site microphone access and (b) because you clicked on the microphone this session.

Google will likely have to reduce the functionality of the microphone.

Ideally they'll also use this as an opportunity to give more control of popup/popunder....

What Are You, A Luddite?

What no javascript, video playback, screen sharing, VoIP, WebRTC or RTCWeb(How FUCKING STUPID!), PDF rendering, Dart app execution?

What luddite only looks at HTML?

Re:What Are You, A Luddite?

[epyT-R]

I'm sure he does do RTC, pdfs, video playback, and screensharing, with appropriate client applications.. doing them in a browser is what's stupid.

a developer named Tal?

[stevegee58]

Subcommander Tal, is that you?

What, me worry?

[cold+fjord]

Remain calm ....

I'm sure that Oogle Peep View capture / Wi-Fi mapper / porn share finder vans will be by soon to distribute a patch in the background. It would be evil to not patch that, right?

(Don't you love being able to search for your own posts within minutes from .... you know. )

Chrome sux less than IE but still sux

i really don't understand why people like chrome. yeah, it's fast and was the first browser to run each tab in it's own process/thread and do sandboxing...but they all do that now. chrome's interface, from the visual aspects to the incessant 'do it the google way' sends me into blind rage. firefox rules!

Re:Chrome sux less than IE but still sux

[perryizgr8]

ie was first with the process per tab thing.

Replace all the features...

[ndykman]

So, Windows has voice recognition. There's Nuance too. In Windows, when you are using the feature, there's clear application on the top that shows you that it is listening. It works okay with a bit of training if you need that kind of thing.

This trend by Google to replace more and more features of an desktop OS is really annoying. Notification features in the OS? Nah, just make a really small window in the corner that doesn't go away and just pops up not and then. Of course, the Microsoft voice recognition doesn't send every bit of audio to Google servers to be stored and used for training, so for Google, that's a feature, not a bug.

I wish Google would realize that even if they don't like (or aren't good at) at desktop development on Windows, Mac, Linux isn't a excuse to put everything in Chrome.

Seems like reasonable behaviour.

[viperidaenz]

You grant permission for a website to listen to you.
It opens a new window to the same domain, that window inherits those permissions.

There is more than one way to mitigate this problem
eg:
1) Don't let any window, regardless of user granted permissions listen while its in the background. This is going to break websites when you switch tabs.
2) Don't propagate this permission to child windows. That's going to break websites that popup a window for speech recognition that can persist between page navigations
3) Prompt the user every time recognition is started. That's going to piss the user off every thing they navigate to a new page, they'll need to authorise it again.
4)... use your imagination, there's bound to be many more. All of them will remove legitimate functionality

Re:Seems like reasonable behaviour.

[BitZtream]

5) Don't use Chrome or any other shitty web browser that thinks it needs to be an OS.

Re:Seems like reasonable behaviour.

This isnt a bug. Its like Slashdot posting this comment once I hit send, it's supposed to cause I told it.

Hardware/OS level indicator

[esaulgd7195]

The built-in camera on my Macbook turns on a hardware light whenever it's being used. Makes it pretty hard to not realize you are potentially being seen. All OSs should display an indicator on the top layer of the display, and enlarge/flash it in a pretty unmissable way every 5 minutes, whenever your camera OR microphone is active. Failure of an OS to do so should be labeled as what it is, a security hazard.

Re:Hardware/OS level indicator

[MrKaos]

The built-in camera on my Macbook turns on a hardware light whenever it's being used. Makes it pretty hard to not realize you are potentially being seen. All OSs should display an indicator on the top layer of the display, and enlarge/flash it in a pretty unmissable way every 5 minutes, whenever your camera OR microphone is active. Failure of an OS to do so should be labeled as what it is, a security hazard.

There was a slashdot article about an exploit for this not so long ago, camera on, led off.

Best way to secure the camera is with a piece of black electrical tape, to secure the microphone unplug it or turn it off. Laptop mics are a bit trickier.

Re:Hardware/OS level indicator

[zacherynuk]

That's a good point, however, it's been proven that these 'hardware' features can be overcome in software. Sad as it may seem I now have a USB extension lead to my webcam and only connect it when I need it. Example: Link

What really interesting, in my book, is the fact that Skype only started detecting plug in devices 'on the fly' after MS took over, If I hadn't had the device plugged in I would usually have had to quit / re-open skype - or at least re-run through the video setup - nowerdays skype can run all the time and even half way through a text or audio conversation I can plug the webcam in and hey presto. Was this for us? Or for them ?

Re:Hardware/OS level indicator

> Best way to secure the camera is with a piece of black electrical tape

No, just no. Several places will remove cameras from laptops for less than $250. The one we now use at work is Mission:Repair (http://www.missionrepair.com). They do a great job, and have only ruined about 5% of the devices we've sent in for camera removal. Their iPhone camera removal service is even cheaper. I just got mine done for only $69 plus $35 shipping. It was worth every penny so I can use the same phone at work and outside of work. For iPads, they're even cheaper than that! I just got the cameras removed from a batch of ten iPad Mini Retinas for only $490. There's no reason to depend on a piece of tape when there's a cheap and reliable alternative.

Re:Hardware/OS level indicator

You're right that Mission Repair is awesome. We had ~500 iPads dropped shipped to them for camera removal, and they only ruined about a dozen of them. The cameras are just too much of a risk to have on devices given to students. Several times we've had teachers here find pictures that could have put them in prison for a long time on devices that students have turned in. Mission Repair's camera removal service is a great peace of mind. I'm sorry, but the threat of corporate espionage that you described is nothing compared to the threat of being arrested for possession of child porn.

Re:Hardware/OS level indicator

[vux984]

No, just no. Several places will remove cameras from laptops for less than $250. The one we now use at work is Mission:Repair (http://www.missionrepair.com). They do a great job, and have only ruined about 5% of the devices we've sent in for camera removal

I can't tell if that is sarcasm or not, but $250 to remove something, and 5% "ruined-device" rates are obscenely high IMHO.

$25 bucks, and 0.1% ruined devices is much closer to the right ballpark.

Re:Hardware/OS level indicator

[vux984]

The built-in camera on my Macbook turns on a hardware light whenever it's being used.

That is an assumption.

Mac's are now shipping with the camera power led on a separate software controlled circuit so its no longer the case that the light must be on for the camera to be on (or vice versa).

Complete failure of secure hardware design. Way to go Apple.

Re:Hardware/OS level indicator

[Ultra64]

Wow, just $250 and only a 5% chance my device will break?

That's sooooo much better than just covering it with one cent's worth of tape.

Re: Hardware/OS level indicator

Why not use parental restrictions to block camera use ? It does not cost and does not damage the device / warranty

Re:Hardware/OS level indicator

He must be our newest iFanboy.
So much to learn son, so much to learn...

Welcome..

Re:Hardware/OS level indicator

[MrKaos]

I can't tell if that is sarcasm or not.

Yeah it is, this AC is two of only one in circle jerk. That very loud popping sound is the cavitation effect of their head coming out of their ass.

Re:Hardware/OS level indicator

In addition, wasn't there a Snowden leak alleging that NSA has been able to hack webcams (not necessarily macs) without activating the hardware light?

It's a feature.

Puleeeze. Google's entire business model revolves around collecting information about people through pseudo-legit spying. This is clearly a deliberate feature that someone was expected to use. Google's just covering it's ass.

Re:It's a feature.

[koan]

It's completely legit, after all you read the TOS and clicked agree right?

Non-Chrome functionality?

[Todd+Knarr]

The article isn't clear, but my first thought is that this should be simple to deal with by just revoking permission for a site to use the mic. Except that when I check in Chrome, there's no way to enable this at all. The only references involve adding the Chrome Voice Control extension, which isn't included in Chrome by default. So while this is a problem, it doesn't seem to be one that can't be easily solved. If you're truly worried about it, don't install the extension or remove it if you've got it installed. If you want the extension, be careful of which sites you grant permission to and go and manually revoke permission when you're done. You ought to be reviewing permissions regularly anyway, not just for this but for anything you're granting extra permissions for.

Small steps to Total Surveillance

[Taantric]

This is just another in a long line of baffling (and user hostile) decisions Google has made for Chrome. What made me uninstall Chrome was the decision not to clear session cookies after Chrome exits.

Even if you signed into a website without ticking "remember me" or "log me in automatically", Chrome would happily keep those session cookies so that on restart you find yourself still logged into those websites.

Again in response to the uproar, Google said this was the behaviour they wanted for Chrome and user should manually sign out of each and every website each and every time before closing Chrome.

Re:Small steps to Total Surveillance

[Trax3001BBS]

Again in response to the uproar, Google said this was the behaviour they wanted for Chrome and user should manually sign out of each and every website each and every time before closing Chrome.

Well I don't use Chrome, and always sign out of a site, if for nothing else to block a site's cookies (web beacons) from being active while surfing.
-cookies are deleted when I shut the browser down.

Re:Small steps to Total Surveillance

[vlueboy]

Even if you signed into a website without ticking "remember me" or "log me in automatically", Chrome would happily keep those session cookies so that on restart you find yourself still logged into those websites.

Again in response to the uproar, Google said this was the behaviour they wanted for Chrome and user should manually sign out of each and every website each and every time before closing Chrome.

Google's "behavior" yet again shows their twisted anti-privacy slant. I don't wanna know just how much Chrome has contributed to
1) loved ones spying us
2) lost passwords due to complacent workers who never hit log out

Just today I got yet another user who made me wonder just HOW people never learn their passwords and manage to keep logging in for 2 years, till their laptops are lost or refreshed. Between site-controlled "remember me" boxes and lazy browser culling, I think this solves the mystery. Thanks for opening my eyes to another frog boiling attempt.

Easiest fix

[JDG1980]

Chrome recently added a speaker icon to indicate which tabs are playing sound. Why not add a corresponding microphone icon to indicate which (if any) tabs are recording it? Since this would be implemented in the browser, it shouldn't be possible for sites to bypass it.

Re:Easiest fix

Because it's in a different window not a tab?

Re:Easiest fix

[JDG1980]

Because it's in a different window not a tab?

Even simpler fix: if the user has tabbed browsing enabled (does Chrome even work any other way?) then web pages should never be allowed to open in a new window. If they ask for a new window, give them a new tab instead. 99% of the time, this is what the user wants (assuming they even want the content at all).

Re:IE isn't bad anymore

[Billly+Gates]

I would consider using it if it had more plugin support and if website makers still didn't feed IE 6 specific jscript code to it. IE 11 fixed this by ignoring jscript and only supporting ECMA compliant javascript. This broke corporate apps of course reliant on ancient IE behavior.

Slashdot thanks it with a headline "IE BREAKS MORE SITES AGAIN" and the crowd hounds it for non standard behavior LOL. Even though making it act like Chrome and Firefox is what caused this.

But you can get adblock plus for it now and it scores fairly well in HTML 5 compliance tests with up to 90% of Firefox's features. It has the lowest cpu utilization and like Chrome is secure with low-rights and sandboxing which Firefox still frustratingly lacks.

But man like your post says MS created a lot of badwill from first forcing IE 6 on every computer back in the day agaisn't Netscape (another shitty browser too which was not W3C compliant), and MS let IE 6 rot for years and years and years to the point where our places of work were stuck with it for years longer.

If you put a gun to my head and forced me to use it for hte rest of my life I certainly could at this point without wanting to risk taking the bullet instead. :-)

users are the product. this is a feature

it must be a featue and not a bug if they have the "fix" but don't put it in. remember if you don't pay for a commercial product (be it chrome gmail or facebook) you are the product, for sale to advertisers and whoever else want to pony up for the data

In conclusion

[Swampash]

"open"

Don't give malicious sites permission

[Gavagai80]

If you think a website is controlled by your enemies or the government or someone who benefits from listening to you, don't give the website permission to your microphone in the first place. Then you're safe from this exploit, since the exploit only works with sites you've already expressly approved.

Re:Don't give malicious sites permission

its opt out retard, its already been on for months and you didnt even know it, now how is that smug shit sounding now wiseass

Who's fault really

[Trax3001BBS]

People should really expect this and disconnect everything when they're done.

All my monitors since the 90's have had a WebCam built in but I didn't buy any for that reason, and have always disabled the webcam by not supplying a USB cable for it's use. Only once have I ever used one and just for a few hours.

I have a Mic pluged in now for the POS BF4, and assume I can be heard at anytime. It's not Googles fault or Windows but Flash. I always have disabled flash's Webcam and Mic. Used to be it would reset after every update, then kept the settings, now there's list of prefered (by adobe) sites that I can block but I'd rather delete them - Flash hangs if I try even one.

Found a file GTBcheck.exe (GoogleToolBar) it's from updating Flash and it trying to install Chrome as well - awhile ago.

I've switched recently as well

[Sycraft-fu]

Not to say I like Firefox, but I am currently hating it the least. All the browsers are problematic in my opinion, just in different ways. I used FF for a long time but its Flash issues were just too much, among other things, so I switched to Chrome. Now I'm back on FF. I really like a lot about IE, but it has too many problems rendering a number of websites correctly so it is out.

Nobody can seem to make a good browser, just a less bad one :P.

No turning back the clock.

[westlake]

Giving microphone access to a complex piece of software that's primarily used to render, interpret and run code fetched from random places on the Internet... what could possibly go wrong?

The world wide web and web browser has been a two-way means of communication for quite some years now.

Re:No turning back the clock.

[yanyan]

I believe the voice recognition feature was added as a user interface for the browser, not the web pages themselves. Why or how the audio could get captured by another listener is the question.

Re:No turning back the clock.

[rmdingler]

I wondered why they were pushing Dragon on infomercials like it was going out of style.

Dumped Chrome a month ago

[koan]

That is all.

Mic override.

This is why I disabled the Google update service in system services after Chome 31, disabled the onboard microphone, and use an external mic with a manual shutoff switch.

The proper way

is to have two led's - one lights up when the camera is on, the other when the microphone is on. They should be hardwired, not subject to software control.

Chrome sucks

Promised so much, but each release is bigger and bloatier. It takes a ridiculous amount of memory each page. Given the overhead, the whole idea of isolating pages to protect against crashes is a dumb idea (why not write browser code that doesn't crash instead?) and what point is all this since the plugins can serve you ads, with the blessings of Google. Buggy and slow, why would you bother? I went back to Firefox long ago.

Yes it is

It's supposed to clearly indicate whenever it's listening, which it is not. It's definitely a bug and the Chrome developers have acknowledged this after more than 4 months of silently ignoring it. (For them, the story is probably very annoying, because now they have to introduce a new bug equivalent to the previous one.)

In soviet...

In soviet Russia, something something you!

mouse can be disabled without permission

believe me

Just more crap from the crap factory?

[walterbyrd]

> Google dismisses eavesdropping threat in Chrome feature
> Google said there's no threat from a speech recognition feature in its Chrome browser that a developer said could be used to listen in on users.

http://www.techworld.com.au/article/536592/google_dismisses_eavesdropping_threat_chrome_feature/

Google thinks all connections should be trusted

This is actually the reason that Chrome tries to render numerous tabs in a single process, instead of in isolation from each other. Scripting in Chrome cannot currently be secured. The relevant documentation all but explicitly states Chrome was designed this way to help Google's AJAX communicate with itself. It apparently was never considered that there are sites less trustworthy than Google which could exploit security holes like this exactly as described by Ater.

Here is how to get Google to fix this

Go to: chrome://settings/content
Scroll down to Media and select:
"Do not allow sites to access my camera and microphone"
Click Done and close all Chrome windows.

While you cannot use the voice recognition in Chrome till you change it back, this will light a fire under Google if people quit using the feature.

i want this app for others

I could use this on a few people