Chrome Bugs Lets Sites Listen To Your Private Conversations

An anonymous reader writes "Last year Google rolled out a new feature for the desktop version of Chrome that enabled support for voice recognition directly into the browser. In September, a developer named Tal Ater found a bug that would allow a malicious site to record through your microphone even after you'd told it to stop. Quoting: 'When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can't start listening to you in background windows that are hidden to you. When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there.' Ater reported this to Google in September, and they had a fix ready a few days later. But they haven't rolled it out yet — they can't decide whether or not it's the proper way to block this behavior. Thus: the exploit remains. Ater has published the source code for the exploit to encourage Google to fix it."

Fixeds thats

Chromes Bugs' Lets' Sites' Listens Tos Yours Privates Conversations'

2014

[DarkOx]

Why in 2014 does any self respecting browser allow pop-ups or pop-unders without explicit permission?

Security issues aside there is almost nothing quite so irritating as a website opening additional windows except in the rare list of exceptions most of us are quite used to manually keeping.

Re:2014

[zacherynuk]

I don't quite understand why auto popups like Livejasmin or 888casino can be allowed to popunder (I find them on client machines all the time) but when ever I ask one of my firewall to display me a log, update firmware or whatever (sophos & pfsense) the browser blocks it. I 'king clicked a button and the browser blocks it. Users do apparently 'nothing' and gambling and porn appear.

That said, uninstalling Chrome Browser and returning to firefox has been a great release.

Re:2014

[cheater512]

They do something. They click on the page.

Popups are allowed from a valid onclick event so the ads put a onclick event on the entire page.

Re:2014

[ackthpt]

I don't quite understand why auto popups like Livejasmin or 888casino can be allowed to popunder (I find them on client machines all the time) but when ever I ask one of my firewall to display me a log, update firmware or whatever (sophos & pfsense) the browser blocks it. I 'king clicked a button and the browser blocks it. Users do apparently 'nothing' and gambling and porn appear.

That said, uninstalling Chrome Browser and returning to firefox has been a great release.

I've had to return to Firefox just to get away from recent bugs in Chrome. Chrome as a pretty good browser in its time, but it's heading towards the shark on greased water skis.

Re:2014

[lgw]

: after all it wouldn't be a whole lot of use to display dialogs to users if you then couldn't handle the subsequent action.

Web pages don't need dialogs in separate windows. Seriously, they don't. That's an old-school UI concept dragged to an inappropriate place. You can present a dialog within the page, in a variety of ways. And if you really need to open a separate, permanent window, that's a new tab, and only if the user has explicitly granted permission for such.

There's simply no legitimate requirement for a web browser to ever open another desktop UI window - render what you need to within the tabs you present.

Re:2014

[vlueboy]

They do something. They click on the page.

Popups are allowed from a valid onclick event so the ads put a onclick event on the entire page.

Not the whole story. Internet Explorer, that ol' browser none of us use when idle, is pretty aggressive blocking even onclick.
It makes little sense that it's a default setting, and I can't recall.
My first sense that browsers were in bed with the bad guys was 10+ years ago. I found some alt browser that expressly allowed me to block annoying behaviors:
* scripted window movement and resizing
* status bar text changes (crudely obfuscating hover text when you want to see where you'll land)
* hide the menu bar, navigation bar and url so as to give a small HTML window popup (so you can't tell what url it loaded, how to turn back without keyboard [obscure to Joe Sixpack], and what domains to ban)

All three of those may have had true uses before web 2.0 during your banking or e-commerce session. But today, css and floating divs can be used to blur the window selectively as to highlight the necessary context. They are vestiges that are not needed by legit sites, and yet are overused by sneaky sites. Browsers phased out blink tags, http + https iframe mix, urlbar javascript execution and other stuff, but don't get rid of pop unders, even as an option somewhere? intentional

Re:2014

[mrbluze]

I think it's prudent to question whether this bug in Google's browser is intentional or unintentional.

I think it is safe to assume, for any verbal discussion of importance, that all smart phones in the room have their microphones on with voice recognition running. Sure, most of the time they are not, but:

1. They are the perfect bugging tool.

2. The person you are talking to might be recording everything anyway

and 3. if you are in any kind of position that could possibly be envied, someone is bound to be doing this to you.

Re:2014

[sexconker]

The real question is: why do browser still allow windows to pop under? There's literally no legitimate use for it.

Site satisfaction surveys typically pop under so that when you close the main window you see the site satisfaction survey, it refreshes, and asks you shit about your visit.
Same for a ton of those "eLearning" shits that make you sit through a video, click through pages of shit you're pretending to read, etc. while timing you, tracking your clicks and progress, etc. Often used for employer-mandated training sessions on shit like how not to rape people at work or how to properly walk so you don't trip and sue.

Re:2014

[ozmanjusri]

I think it's prudent to question whether this bug in Google's browser is intentional or unintentional.

Chromium is open source. If this behavior exists in both Chrome and Chromium, then it's a bug, or most likely an unintended consequence.

If it's only in Chrome, you're right, it'd be a very good idea to question Google's actions.

Re:2014

[zacherynuk]

I asked a forum dev-mod if he could add an option on a new forum (Oculus Rift) a while back if we could at least have an option to open external links (outside of the current forum) in new tabs with a left click. The majority of the research and tech forums (especially) I frequent have this as an option - it just make sense, somebody posts a reference link and you want to look at it without losing your place in the current thread, indeed if it's a picture or diagram having it load up whilst you continue reading is a bonus. I was shot down - apparently I am lazy for not middle clicking or right clicking on such links, citing that such programming practice is deemed unacceptable behavior as people don't like new tabs or windows. Which struck me as strange.

Middle or right clicking on a tablet is a PITA. Especially if a post or thread contains mostly links to external reference content.

Perhaps the pop and popunder is more a human decision than a logical one, and therefore a target for nefarious manipulation. So the extreme unwanted popunder must exist purely for nefarious purposes, shirly ?

Re:2014

[hairyfeet]

Well one of the nice things about Chrome being based on FOSS Chromium is you DO have choices, there is Dragon,SWIron,Chromium, just as with FF you have IceDragon,Kmeleon CCF ME, Seamonkey, Pale Moon, you don't have to just choose between FF and Chrome, there is a world of choices out there. hell if you want to get away from Chromium and gecko completely there is QTWeb which is just what it sounds like,Webkit with a QT UI. Its pretty nice,built in ABP and cross platform.

That said what keeps me from giving anything Gecko based like FF to my customers is the simple fact that 7 fricking years after it was first released Firefox STILL doesn't support Low Rights Mode which is not just dumb, in this age of zero days its downright reckless. I mean its 2014 and Gecko STILL runs with the same rights as the user, WTF? browsers are the #1 attack vector by a country mile, they should always run with the lowest permissions possible!

So if you are looking at a browser with an eye to security you should be looking at something that uses the Chromium engine. Personally I've found that running the browser in low rights mode dropped infections in my customer's PCs right off the map, but running without LRM they ended up with bugs like the Yahoo Porn Bug and hidden iFrame tricks that just didn't seem to affect any browser running LRM. Kinda sad that IE runs in LRM, Chromium had support less than 6 months after its release, FF still don't.

Re: 2014

[xombo]

One advantage of Microsoft standardizing on the metro interface is that popups and dialogues will become a thing of the past.

surprise!

[Tom]

Giving microphone access to a complex piece of software that's primarily used to render, interpret and run code fetched from random places on the Internet... what could possibly go wrong?

Re:surprise!

Ummmm... someone hears me burp and fart and type?

Re:surprise!

[zacherynuk]

I thought this was a good one: "Xbox One Signout" "Xbox One Signout"

Re:surprise!

[viperidaenz]

Because they're his private burps and farts!

Bugs in Chrome?!?

[ackthpt]

I mean, besides the few that were just rolled out? Seriously, it's getting more like IE* every day.

*The bad ol' IE, unlike the rather slow and inept IE of today, which probably still has lots of bugs, too.

Re:Bugs in Chrome?!?

[Bengie]

Chrome had a bug, stop the presses!

Re:Bugs in Chrome?!?

[mythosaz]

Part of Google's response (or lack of one) includes that this isn't so much a bug as a feature, and the feature is being misused.

If you authorize your microphone for evil.site, and evil.site opens another window, your microphone is still authorized for it -- because you (a) permanently authorized evil.site microphone access and (b) because you clicked on the microphone this session.

Google will likely have to reduce the functionality of the microphone.

Ideally they'll also use this as an opportunity to give more control of popup/popunder....

a developer named Tal?

[stevegee58]

Subcommander Tal, is that you?

What, me worry?

[cold+fjord]

Remain calm ....

I'm sure that Oogle Peep View capture / Wi-Fi mapper / porn share finder vans will be by soon to distribute a patch in the background. It would be evil to not patch that, right?

(Don't you love being able to search for your own posts within minutes from .... you know. )

Small steps to Total Surveillance

[Taantric]

This is just another in a long line of baffling (and user hostile) decisions Google has made for Chrome. What made me uninstall Chrome was the decision not to clear session cookies after Chrome exits.

Even if you signed into a website without ticking "remember me" or "log me in automatically", Chrome would happily keep those session cookies so that on restart you find yourself still logged into those websites.

Again in response to the uproar, Google said this was the behaviour they wanted for Chrome and user should manually sign out of each and every website each and every time before closing Chrome.

Re:Hardware/OS level indicator

[vux984]

The built-in camera on my Macbook turns on a hardware light whenever it's being used.

That is an assumption.

Mac's are now shipping with the camera power led on a separate software controlled circuit so its no longer the case that the light must be on for the camera to be on (or vice versa).

Complete failure of secure hardware design. Way to go Apple.

I've switched recently as well

[Sycraft-fu]

Not to say I like Firefox, but I am currently hating it the least. All the browsers are problematic in my opinion, just in different ways. I used FF for a long time but its Flash issues were just too much, among other things, so I switched to Chrome. Now I'm back on FF. I really like a lot about IE, but it has too many problems rendering a number of websites correctly so it is out.

Nobody can seem to make a good browser, just a less bad one :P.

Re:No turning back the clock.

[rmdingler]

I wondered why they were pushing Dragon on infomercials like it was going out of style.

Re:Chrome sux less than IE but still sux

[perryizgr8]

ie was first with the process per tab thing.