Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Flaw Sets Your PC's Mic Live

Posted by timothy on from the lives-of-others dept.

First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."

18 of 152 comments (clear)

  1. Flaw? by GodfatherofSoul · · Score: 5, Interesting

    Yeah right.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
    1. Re:Flaw? by fustakrakich · · Score: 5, Insightful

      Yeah, the flaw is that it wasn't hidden well enough..

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Flaw? by Anonymous Coward · · Score: 3, Insightful

      But why is the browser accessing the microphone in the first place?

  2. How conveeeenient! by plover · · Score: 5, Insightful

    This flaw, plus heartbleed, makes it sound like all the conspiracy theorists got together for a secret cabal to convince the world that the NSA really is out to get everyone.

    --
    John
    1. Re:How conveeeenient! by ArcadeMan · · Score: 4, Insightful

      The NSA really is out to get everyone! Except themselves, of course. That's private.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:How conveeeenient! by Wootery · · Score: 3, Insightful

      What the NSA does with itself in the privacy of the its comically failed oversight process, is its own business.

    3. Re:How conveeeenient! by cascadingstylesheet · · Score: 3

      The NSA really is out to get everyone! Except themselves, of course. That's private.

      If only there were some way to rein them in ...

      I've got it! "Progressives" could control the Executive branch for over five years. I'd love to see the NSA pull this stuff then!

  3. Re:Google had to have put this in on purpose by MozeeToby · · Score: 4, Informative

    Of course it's built in, it's part of the "ok google" keyword that Google Now (recently added to the Chrome browser) uses to detect an incoming command. The flaw is that transcript is kept for any length of time and that it's available to websites being viewed.

  4. Don't Worry, Folks. by IonOtter · · Score: 4, Funny

    I talk to myself in different voices all the time, and engage in detailed plots to take over the world.

    If I haven't been picked up by the Men In White Coats by now, they aren't listening.

    --
    [End Of Line]
  5. Temporary workaround by Alain+Williams · · Score: 4, Funny

    Get the wife & kids to learn and speak Navajo at home. It worked for the USA in World War II so it can work for you too!

  6. Re:Google had to have put this in on purpose by Anonymous Coward · · Score: 4, Informative

    speech-to-text

    Not sure why everybody keeps writing text-to-speech even though that makes no logical sense in this context :)

  7. Re:Old news? by SmilingBoy · · Score: 3, Interesting

    And what a weak article. A link to the Chromium issue tracker but not the actual issue, and a link to Reddit but not the actual submission. Are you kidding me?

  8. Precursor by FuzzNugget · · Score: 4, Funny

    "Let's give web browsers direct access to hardware!", they said, "it'll be great!"

  9. He only gave Google 2 days before going public? by Dahan · · Score: 5, Informative

    So, no thanks to TFA, I found the actual bug report, and it turns out the guy went public less than 2 days after reporting the bug to Google. Talk about impatient. And it's not true that "Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media". It's true that it was originally given a low-severity label at first, it was bumped to medium a day-and-a-half later, then up to high a few hours after that--around the same time that he went to reddit about it. Not exactly sure if it was before or after, since I don't know the timezone of the times reported on Chrome's issue tracker, but one of the comments from Google says that they had already bumped the severity rating before they knew about him going public.

  10. Re:Oh really.. EXCELLENT NEWS! by noh8rz10 · · Score: 4, Interesting

    the news here is that the website doesn't turn on the microphone, google turns on the microphone and starts making transcriptions of everything you say. the website just accesses the transcriptions. why is goog recording everything? rhetorical question, they are looking for keywords that they can advertise against. did you just say "cancun"? they will give you hotel and airline ads.

    that is super creepy.

  11. Re:Google had to have put this in on purpose by Actually,+I+do+RTFA · · Score: 4, Funny

    Google Now (recently added to the Chrome browser)

    That's why it's always more secure to run software 6 or more versions out of date. No zero-day bugs for me!

    --
    Your ad here. Ask me how!
  12. It's still through a driver by tepples · · Score: 3

    Since DOS fell into general disuse, neither audio input nor keyboard input is especially "direct access to hardware". The device driver handles the direct access under the control of the API infrastructure in the operating system. Thus being able to read an audio input device through an audio input API is not direct access any more than being able to read an alphabetic keyboard device through a keyboard API is direct access.

  13. Re:Google Voice Search Isn't On By Default by noh8rz10 · · Score: 4, Informative

    they say "To improve processing of your voice input, Google may record a few seconds of ambient background noise in temporary memory at any time.". I take this to mean, they are recording constantly into a buffer at all times.