The Inquirer-Home

Second eavesdropping bug is found in Google Chrome

Unplug your mic and put tape over your webcam
Wed Apr 09 2014, 17:05

A SECURITY BLOGGER has discovered a flaw in Google Chrome that allows attackers to turn any victim's machine into a listening post.

A blogger named Guya explained that a deprecated speech API known as "x-webkit-speech" can be harnessed to run in the background without any indication to the end user that their microphone is on. His blog post includes a video that demonstrates the flaw, which you can view below.

A developer simply needs to add a single line of code to a website to exploit the bug and gain access to an audio feed of the victim's environment.

As Guya explained, "There is absolutely no indication that anything is going on. There are no other windows or tabs, and [not] some kind of hidden popup or pop-under. The user will never know this website is eavesdropping."

Any on-screen indication or windows can be set to appear on the edge of the screen or covered with images or other page elements.

Guya has reported the problem to Google, which has yet to comment. However, this is not the first time this year that an eavesdropping issue has been reported in Google Chrome.

In January another blogger named Talater revealed that he had reported a similar issue to Google the previous September, and despite having been advised of a patch within four days the exploit was still functional four months later.

Around the same time, Google removed several extensions from its Chrome Store because of concerns about malware.

Despite these flaws, Chrome recently overtook Firefox to become the second most popular web browser in the world. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015