Talented web developer Tal Ater has found a bug in Google’s widely-used Chrome browser. Ater, who works in speech recognition programming, stumbled upon the bug during his own work. According to Ater, the bug could let websites with malicious intentions activate your microphone without you ever noticing. Here’s how it works.
When you visit a site that wants to use your microphone, the site has to ask for your permission. Assuming you accept, this site will be able hear what you say for the duration of your visit at the site. This is relatively harmless in and of itself - web developers are actively working to allow users to execute commands on the internet using their voice.
When a site is accessing your microphone, a red light will appear in the browsing window letting you know that you’re microphone is activated. But, Ater says, a website does not have to ask you for permission to access your microphone every time you visit. Consenting to microphone use even once on a site is all the site needs to access your microphone in future visits without asking.
Here’s the kick: the way Chrome currently works, it’s not at all difficult for a website to open a discreet pop-up window without you noticing. This window could open, activate your microphone, and record your conversations for hours or days before you ever notice.
"Even while not using your computer - conversations, meetings and phone calls next to your computer may be recorded and compromised," Ater said in his blog post on the bug.
“The malicious site you visited can continue listening in on you long after you have left it," Ater continued. "As long as Chrome is still running nothing said next to your computer is private.”
Ater reported the bug to Google on September 24th. Google’s engineers responded swiftly with a patch for the exploit. But Google is yet to implement the patch in the mainstream code of Chrome. The internet giant says the issue is still being debated amongst their browser Standards group.
“As of today, almost four months after learning about this issue, Google is still waiting for the Standards group to agree on the best course of action," Ater said, "and your browser is still vulnerable."