Tal Atler, a web developer in Israel, discovered that once you give a website permission to access your microphone on Chrome, it becomes vulnerable to malicious eavesdropping. As Alter explained in a blog post later picked up by BBC and other outlets, the site can continue to “record anything said in your office or your home, as long as Chrome is still running.”
How does it work? Once you give permission for a site to access your microphone, Google Chrome displays a red icon to notify you when it is being used.
However, there is a bug Atler discovered whereby these sites, even after you leave them, can deploy a pop-under window in your browser that continues to record everything in earshot of your computer.
That means, as long as you are using Chrome, it is possible that every noise in range of your computer is sent to Google to be analyzed and then potentially passed on to a malicious site.
According to Atler, after notifying Google, the Chrome team promptly created a fix for the bug but has yet to implement it.
“The security of our users is a top priority, and this feature was designed with security and privacy in mind,” a Google spokesperson told BBC. “We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it.”
Here’s a video explaining the bug:
Photo by A Strakey/Flickr