A security vulnerability in the Chrome browser that allowed malicious websites to secretly record audio through a microphone connected to the computer has now been revealed. The exploit was revealed after a lack of progress by Google to implement a patch. This exploit could have allowed for the private conversations of nearby individuals to be eavesdropped upon, according to a developer.
The flaw was discovered by Tal Ater, and it allowed sites to record through Chrome’s speech recognition system, without informing the user. The exploit did require users to give permission to a site to listen in the first place, however it could still listen in at a later time, when the user was away from the initial site where they gave permission.
“When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window,” Ater warns.
The exploit was revealed to Google’s security team privately on September 13th, with suggested fixes identified on September 19th, and a patch created on September 24th. Despite the patch, it seems like Google is waiting for its web standards group to agree on the patch’s release. This delay forced Ater to publish the code for the vulnerability through a website for all to see. Maybe now Google will do something about it.