A SECURITY BLOGGER has discovered a flaw in Google Chrome that allows attackers to turn any victim's machine into a listening post.
A blogger named Guya explained that a deprecated speech API known as "x-webkit-speech" can be harnessed to run in the background without any indication to the end user that their microphone is on. His blog post includes a video that demonstrates the flaw, which you can view below.
A developer simply needs to add a single line of code to a website to exploit the bug and gain access to an audio feed of the victim's environment.
As Guya explained, "There is absolutely no indication that anything is going on. There are no other windows or tabs, and [not] some kind of hidden popup or pop-under. The user will never know this website is eavesdropping."
Any on-screen indication or windows can be set to appear on the edge of the screen or covered with images or other page elements.
Guya has reported the problem to Google, which has yet to comment. However, this is not the first time this year that an eavesdropping issue has been reported in Google Chrome.
In January another blogger named Talater revealed that he had reported a similar issue to Google the previous September, and despite having been advised of a patch within four days the exploit was still functional four months later.
Around the same time, Google removed several extensions from its Chrome Store because of concerns about malware.
Despite these flaws, Chrome recently overtook Firefox to become the second most popular web browser in the world. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted