Developer finds Chrome eavesdropping bug

Any computer running the Chrome browser can be subverted to eavesdrop on conversations happening around it, claims a developer.

Israeli coder Tal Ater found the bug while working on his own speech recognition software.

Despite Google finding a way to fix the bug in October 2013 the update has yet to be rolled out to Chrome, he said. Google said there was no immediate threat to users from the speech recognition system.

“Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised,” wrote Mr Ater in a blogpost explaining what he had found. The bug emerges when malicious sites try to subvert the way Chrome handles speech recognition, he said.

Typically, people must manually grant permission to each site that wants to access a computer’s microphone to listen in. Once permission has been granted Chrome lets people know a site is listening via a blinking red dot on the tab for that site.

In a video accompanying the blogpost, Mr Ater showed how a malicious attacker could use specially crafted code to exploit these permissions to launch a “pop-under” window that starts the speech recognition system. “The malicious site you visited can continue listening in on you long after you have left it,” said Mr Ater. “As long as Chrome is still running nothing said next to your computer is private.”