Slashdot Mirror
Google Chrome Flaw Sets Your PC's Mic Live
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."
Yeah right.
I swear to God...I swear to God! That is NOT how you treat your human!
An "accidental bug" which enables not only the microphone (even when it's supposed to be turned off) but text to speech conversion? No way.
If anyone can find an honest prosecutor, criminal prosecution is in order.
This flaw, plus heartbleed, makes it sound like all the conspiracy theorists got together for a secret cabal to convince the world that the NSA really is out to get everyone.
John
Hope they like the Scrubs episode I am watching.
Now Gorgol will know that I am a genius who composes poems to myself whyile watchiend inernet movies at breions wiijkmas of the nighnbt! BAD I will SUE THEUR PANETS OFF!!!
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Slashdot Beta sets your eyes on fire.... with rage!
I talk to myself in different voices all the time, and engage in detailed plots to take over the world.
If I haven't been picked up by the Men In White Coats by now, they aren't listening.
[End Of Line]
They are turning on the built in microphone? EXCELLENT! Google can sure do stuff I never imagined possible...
I have an old cheap laptop (still running XP) that doesn't have a microphone built in so somehow I don't think they are doing anything of the kind, at least to me.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
"The security flaw in the Chrome browser emerges just as the world is confronting the frightening prospect of an undetectable bug known as Heartbleed, that makes millions of passwords vulnerable to being stolen".
'It is being widely reported in the popular press as well as many technical sites that a Heartbleed exploitation "leaves behind no trace"`. That of course is not true.
SSL Server Test
This is how Batman is going to be able to find the Joker, and we're all going to be glad when he puts a stop to his plot to poison the whole city.
You see? You see? Your stupid minds! Stupid! Stupid!
Get the wife & kids to learn and speak Navajo at home. It worked for the USA in World War II so it can work for you too!
This kind of thing should push manufacturers to put hardware on-off switches for both the microphone and the webcam. A simple LED isn't enough, especially if those LEDs aren't directly tied to the power lines of the hardware anymore - I'm looking at you, Apple.
Get free satoshi (Bitcoin) and Dogecoins
The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix."
8 seconds? That's about all I need when visiting the proper website.
I assume that this is the same thing as reported a few months ago? If so, then it is not so simple: the attacking website needs to create a pop-under so that the microphone symbol is hidden. And pop-unders are difficult to achieve with Chrome with the popup blocker activated (as is usually the case).
Since Kinect also has a model where it's always listening in order to be able to execute commands, I wonder if there's any similar vulnerability from the Kinect web browser (not that many people probably use the Xbox One for browsing, but still).
---> Kendall
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Simple solution, make a personal "cone of silence" around your chair and wear a mask.
My my...how could this be, another vulnerability in open source software...
I've got $10,000 that says you don't weigh an ounce under 350 pounds.
"Let's give web browsers direct access to hardware!", they said, "it'll be great!"
Cool! Talking money! What else does it talk about? Amateur cricket? Becky's new sweater?
"WTF do I have to keep clicking this stupid button for 8 seconds to make this site work???"
I haven't had a microphone connected to my computer since about 2001.
Actually, that's not the problem. The voices in my head are okay. The voices in your head are a bunch of assholes, however. Tell them to shut up, please.
If you actually believe that you are being specifically targetted for surveillance by a government agency, yes. Followed by re-assembling it, putting glitter glue on every single seal and taking photos to make it virtually impossible to tamper with undetectably again. Meanwhile you should continue to assume that every device you own, and several you don't, are still reporting your every move, and therefore never say anything important online. Fighting for absolute privacy online against a determined foe is as stupid as the MAFIAA anti-copying wars for the same reason: You're trying to make devices whose whole purpose is to record, copy and transmit data... not record, copy and transmit data.
If not, you probably shouldn't assume that every manufacturer out there is part of a conspiracy to listen to your grunting while you fap, and if there was a broader one, someone would discover it during a teardown soon enough.
Call me paranoid, but I always keep a blank plug in the mic jack, effectively disabling the mic input. When I ~want~ to use the mic, I will remove the plug. (I also have a cover over the camera....)
Procrastination; I'll think of a sig tomorrow.
First, I didn't drag anything and I got popups saying "speak up now" with a volume meter. When I started dragging "seeds", the popups were gone. But in the end I always got "You didn't say anything", even though I was talking to myself the whole time as I usually do, only this time I was trying to speak loud and clear. My roommate must be convinced by now that I'm crazy.
How is speech-to-text supposed to work in Chrome? Shouldn't you get the "allow microphone access" coathanger?
So, no thanks to TFA, I found the actual bug report, and it turns out the guy went public less than 2 days after reporting the bug to Google. Talk about impatient. And it's not true that "Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media". It's true that it was originally given a low-severity label at first, it was bumped to medium a day-and-a-half later, then up to high a few hours after that--around the same time that he went to reddit about it. Not exactly sure if it was before or after, since I don't know the timezone of the times reported on Chrome's issue tracker, but one of the comments from Google says that they had already bumped the severity rating before they knew about him going public.
THAT is the underlying question which matters most.
I laugh my ass off when I see people upset that Google has done
something which is intrusive. You people won't realize there is a
shark in your swimming pool until it bites your fucking legs off.
Large corporations often have big packet storage for monitoring and troubleshooting purposes. For inbound Internet traffic, this often translates to multiple days of stored packets for all that inbound traffic. Many companies will have had packet data that stretched back to prior to the public disclosure of Heartbleed, meaning that those stored records of exploits would cover the time from when the cat was out of the bag and the exploit was suddenly known to everyone and their brother. That's not meant to imply that a company would have packet data stretching all the way back to when the bug was first introduced in OpenSSL a couple years ago, but being able to look at recorded packets does help with identifying what happened once the craziness broke loose with Monday's disclosure.
Since DOS fell into general disuse, neither audio input nor keyboard input is especially "direct access to hardware". The device driver handles the direct access under the control of the API infrastructure in the operating system. Thus being able to read an audio input device through an audio input API is not direct access any more than being able to read an alphabetic keyboard device through a keyboard API is direct access.
The more you click, the more cookies you bake during a click frenzy. (Not that Cookie Clicker uses this exploit, mind you.)
I did a little critical thinking. I asked myself, "What's the story behind voice search? I don't know anything about it." It turns out you have to click to turn on voice Search. They aren't recording everything by default: https://support.google.com/chr... What they do with the recordings and how long they keep them, I don't know.
I didn't think the house band in Hell would play this badly.
...NSA spokeperson declared: "It's not a bug, it's a feature".
Remember that awkward interview with Zuckerberg where he was asked why some of t he FB privacy stuff was opt-out instead of opt-in.. ? I think a lot of companies have learnt from that exchange. Other than nerds, the average person won't care about this as well. Hell 7 years ago all of us would be highly suspicious of software that downloaded unverifiable executables and could update them behind your back like Chrome does now. In the same way where you don't have control over the UI experience of a website, soon any program will be able to modify itself at-will removing control from the user. I remember people being outraged by cookies in the early 00s. The frog has been in the water too long...
I think this is the link of the bugreport in question:
https://code.google.com/p/chro...
Seems legit. f#$!.. Google don't be evil. This attributes to being evil, regardless whether it happened knowingly.
Hivemind harvest in progress..
I for one think we should all thank NSA for taking the trouble to transscript everything and save the bandwidth.
If we have to lose our privacy, let's do it efficiently.
Google Chrome is the most widely used browser. Yet it has so many Flaws it is unbelievable! Is there any browser out there that aims to keep it simple and lightweight but isn't crap?
I get a "Speak Now" bubble when I visit the demonstration website. Isn't that sort of a dead giveaway that something is amiss?
I don't see this as a particularly big flaw unless there bubble is hidden in certain instances.
-- Marcio
So they went from actively looking for bugs from users and paying for them to the traditional lying about them, downplaying them, and never patching them until someone blows the whistle on it.
Attempt by democrats to spy on ALL of us! The idiot, moron, leftist, socialist, democrats can't get enough of spying on us all!
I tried the proof of concept. I had the TV on moderately loud in the background. When I got done, the site said it didn't get anything, I needed to speak louder.
So, if you are dumb enough to go to a web site, make it full screen because it insists on it, continuously click on something and speak your secrets loudly into the microphone, this is a devastating security issue. However, since all your money has already been taken by various Nigerian princes, you don't have much to lose.