Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Flaw Sets Your PC's Mic Live

Posted by timothy on from the lives-of-others dept.

First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."

35 of 152 comments (clear)

  1. Flaw? by GodfatherofSoul · · Score: 5, Interesting

    Yeah right.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
    1. Re:Flaw? by fustakrakich · · Score: 5, Insightful

      Yeah, the flaw is that it wasn't hidden well enough..

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Flaw? by noh8rz10 · · Score: 2, Interesting

      WTF WHY IS CHROME TRANSCRIBING EVERYTHING I SAY??? are they looking for keywords to advertise against, like they do in gmail? the bug here is that some websites are gaining access to the transcriptions that are supposed to only go to google?

      I admit that sometimes I have my tinfoil hat on, but this is absurdly beyond the scope of anything I could have imagined.

    3. Re:Flaw? by Anonymous Coward · · Score: 2, Interesting

      WHY are you using a proprietary commercial suite to browse the web??

      Captcha: nonsense

    4. Re:Flaw? by Anonymous Coward · · Score: 3, Insightful

      But why is the browser accessing the microphone in the first place?

    5. Re:Flaw? by narcc · · Score: 2

      Also, I will no longer test the software I develop with their browser. In this way, I will contribute to making Firefox deliver a substandard user experience to those who do choose to support them.

      How consistent are you?

      Do you use Google Chrome? Google openly supports gay marriage, so you must not test your code in their browser either, right? So does Microsoft, so IE is right out.

      Ah, you must be a Safari user! Oh, wait. Apple also openly supports gay marriage. I guess that can't be it.

      So... with what browser DO you test your software? Are you the last HotJava user? That would be pretty wild.

      --
      Required reading for internet skeptics
  2. How conveeeenient! by plover · · Score: 5, Insightful

    This flaw, plus heartbleed, makes it sound like all the conspiracy theorists got together for a secret cabal to convince the world that the NSA really is out to get everyone.

    --
    John
    1. Re:How conveeeenient! by ArcadeMan · · Score: 4, Insightful

      The NSA really is out to get everyone! Except themselves, of course. That's private.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:How conveeeenient! by Wootery · · Score: 3, Insightful

      What the NSA does with itself in the privacy of the its comically failed oversight process, is its own business.

    3. Re:How conveeeenient! by cascadingstylesheet · · Score: 3

      The NSA really is out to get everyone! Except themselves, of course. That's private.

      If only there were some way to rein them in ...

      I've got it! "Progressives" could control the Executive branch for over five years. I'd love to see the NSA pull this stuff then!

    4. Re:How conveeeenient! by Johann+Lau · · Score: 2

      I could have made the exact same point using a million comparisons, but I like to stick with Hitler just to give people like you something to get excited about ^^

  3. Re:Google had to have put this in on purpose by MozeeToby · · Score: 4, Informative

    Of course it's built in, it's part of the "ok google" keyword that Google Now (recently added to the Chrome browser) uses to detect an incoming command. The flaw is that transcript is kept for any length of time and that it's available to websites being viewed.

  4. Don't Worry, Folks. by IonOtter · · Score: 4, Funny

    I talk to myself in different voices all the time, and engage in detailed plots to take over the world.

    If I haven't been picked up by the Men In White Coats by now, they aren't listening.

    --
    [End Of Line]
  5. Undetectable Heartbleed bug? by DTentilhao · · Score: 2

    "The security flaw in the Chrome browser emerges just as the world is confronting the frightening prospect of an undetectable bug known as Heartbleed, that makes millions of passwords vulnerable to being stolen".

    'It is being widely reported in the popular press as well as many technical sites that a Heartbleed exploitation "leaves behind no trace"`. That of course is not true.

    SSL Server Test

    1. Re:Undetectable Heartbleed bug? by Johann+Lau · · Score: 2

      person reporting on toxicologist conference: "What we are dealing with here is a toxin that leaves no traces in the human body, making it impossible to find out the cause of death."

      Dwight: "FALSE! If you make a spectral analysis of ever particle of food and air that enters the body, and store them forever, you will find plenty of evidence for this supposedly undetectable poison!"

      I'd say they're both right, in a way. For most real world deployments, it's impossible to find out if they have been compromised by this in the past because they didn't have a packet filter installed, so it's best for them to assume that they have been.

  6. Temporary workaround by Alain+Williams · · Score: 4, Funny

    Get the wife & kids to learn and speak Navajo at home. It worked for the USA in World War II so it can work for you too!

    1. Re:Temporary workaround by mythosaz · · Score: 2

      Crazy-aside. I'm in Arizona, and I used to work with one of the 100,000 or so people on the planet who speak Navajo, [hick voice] and let me tell you what [/hick] it's a baffling language.

      Not only does it requires sounds I can't make...
      http://en.wikipedia.org/wiki/N...

      ...but I challenge anyone who isn't a linguist to read and even vaguely comprehend the Navajo language Wikipedia article. :/

  7. Hardware off switches by ArcadeMan · · Score: 2

    This kind of thing should push manufacturers to put hardware on-off switches for both the microphone and the webcam. A simple LED isn't enough, especially if those LEDs aren't directly tied to the power lines of the hardware anymore - I'm looking at you, Apple.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Hardware off switches by BlazingATrail · · Score: 2

      Just like auto manufacturers put cosmetic do-nothing switches in for disabling the airbags. Also, the emergency air masks in the airplanes are just hooked up to each other, not to oxygen. Take quick panic breaths and see who passes out first!

    2. Re:Hardware off switches by noh8rz10 · · Score: 2

      I put a little static cling sticker on the lens. it acts like a simple lenscap. I push it aside when I want to take a photo, move it back when I'm done. sometimes the simplest solutions are the best. haven't solved the microphone problem yet though...

  8. Re:Google had to have put this in on purpose by Anonymous Coward · · Score: 4, Informative

    speech-to-text

    Not sure why everybody keeps writing text-to-speech even though that makes no logical sense in this context :)

  9. Old news? by SmilingBoy · · Score: 2

    I assume that this is the same thing as reported a few months ago? If so, then it is not so simple: the attacking website needs to create a pop-under so that the microphone symbol is hidden. And pop-unders are difficult to achieve with Chrome with the popup blocker activated (as is usually the case).

    1. Re:Old news? by SmilingBoy · · Score: 3, Interesting

      And what a weak article. A link to the Chromium issue tracker but not the actual issue, and a link to Reddit but not the actual submission. Are you kidding me?

  10. Kinect also listening? by SuperKendall · · Score: 2

    Since Kinect also has a model where it's always listening in order to be able to execute commands, I wonder if there's any similar vulnerability from the Kinect web browser (not that many people probably use the Xbox One for browsing, but still).

    ---> Kendall

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  11. Precursor by FuzzNugget · · Score: 4, Funny

    "Let's give web browsers direct access to hardware!", they said, "it'll be great!"

  12. Re:and the transcripts all say... by SumDog · · Score: 2

    WTF have I dicking miss loopy cotton for eight reconed to take this site to work?

  13. Re:8 seconds? by mythosaz · · Score: 2

    Please [diety], let this guy be watching bull riding.

  14. He only gave Google 2 days before going public? by Dahan · · Score: 5, Informative

    So, no thanks to TFA, I found the actual bug report, and it turns out the guy went public less than 2 days after reporting the bug to Google. Talk about impatient. And it's not true that "Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media". It's true that it was originally given a low-severity label at first, it was bumped to medium a day-and-a-half later, then up to high a few hours after that--around the same time that he went to reddit about it. Not exactly sure if it was before or after, since I don't know the timezone of the times reported on Chrome's issue tracker, but one of the comments from Google says that they had already bumped the severity rating before they knew about him going public.

  15. Re:8 seconds? by sexconker · · Score: 2

    Please [diety], let this guy be watching bull riding.

    He is, but in my opinion it makes the furious masturbation more disturbing, not less.

  16. Re:Oh really.. EXCELLENT NEWS! by noh8rz10 · · Score: 4, Interesting

    the news here is that the website doesn't turn on the microphone, google turns on the microphone and starts making transcriptions of everything you say. the website just accesses the transcriptions. why is goog recording everything? rhetorical question, they are looking for keywords that they can advertise against. did you just say "cancun"? they will give you hotel and airline ads.

    that is super creepy.

  17. Re:Google had to have put this in on purpose by Actually,+I+do+RTFA · · Score: 4, Funny

    Google Now (recently added to the Chrome browser)

    That's why it's always more secure to run software 6 or more versions out of date. No zero-day bugs for me!

    --
    Your ad here. Ask me how!
  18. Re:What microphone? by fnj · · Score: 2

    I haven't had a microphone connected to my computer since about 2001.

    No laptop? The mid 1990s called. They want to know how you missed the last 20 years.

  19. It's still through a driver by tepples · · Score: 3

    Since DOS fell into general disuse, neither audio input nor keyboard input is especially "direct access to hardware". The device driver handles the direct access under the control of the API infrastructure in the operating system. Thus being able to read an audio input device through an audio input API is not direct access any more than being able to read an alphabetic keyboard device through a keyboard API is direct access.

  20. Re:Google Voice Search Isn't On By Default by noh8rz10 · · Score: 4, Informative

    they say "To improve processing of your voice input, Google may record a few seconds of ambient background noise in temporary memory at any time.". I take this to mean, they are recording constantly into a buffer at all times.

  21. Re:Google had to have put this in on purpose by 0ld_d0g · · Score: 2

    So, your privacy hinges on the fact that Google programmers remain incompetent?