Forgot your password?
typodupeerror
Chrome Bug Google Privacy Security

Google Chrome Flaw Sets Your PC's Mic Live 152

Posted by timothy
from the lives-of-others dept.
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."
This discussion has been archived. No new comments can be posted.

Google Chrome Flaw Sets Your PC's Mic Live

Comments Filter:
  • Flaw? (Score:5, Interesting)

    by GodfatherofSoul (174979) on Thursday April 10, 2014 @05:31PM (#46719105)

    Yeah right.

    • Re:Flaw? (Score:5, Insightful)

      by fustakrakich (1673220) on Thursday April 10, 2014 @05:54PM (#46719389) Journal

      Yeah, the flaw is that it wasn't hidden well enough..

      • Re: (Score:3, Interesting)

        by noh8rz10 (2716597)

        WTF WHY IS CHROME TRANSCRIBING EVERYTHING I SAY??? are they looking for keywords to advertise against, like they do in gmail? the bug here is that some websites are gaining access to the transcriptions that are supposed to only go to google?

        I admit that sometimes I have my tinfoil hat on, but this is absurdly beyond the scope of anything I could have imagined.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          WHY are you using a proprietary commercial suite to browse the web??

          Captcha: nonsense

          • WHY are you using a proprietary commercial suite to browse the web??

            Because of the way the people at Mozilla treated Brendan Eich.

            • So it's unreasonable to boycott Mozilla for hiring Eich, but reasonable to to boycott it for letting Eich go? Isn't that an inconsistent position?

              • by Richy_T (111409)

                He didn't say anything about the boycotters. It's possible for both boycotts to be reasonable but for Mozilla's actions to not be.

    • I did a little critical thinking. I asked myself, "What's the story behind voice search? I don't know anything about it." It turns out you have to click to turn on voice Search. They aren't recording everything by default: https://support.google.com/chr... [google.com] What they do with the recordings and how long they keep them, I don't know.
    • Has anyone noticed that on stories about Google, if you post a negative comment almost immediately you get negative banged? Over time other readers pos bang you back up. This is probably the 5-10th time I've seen this happen. They must have PR guys trawling for this stuff.

  • An "accidental bug" which enables not only the microphone (even when it's supposed to be turned off) but text to speech conversion? No way.

    If anyone can find an honest prosecutor, criminal prosecution is in order.

  • How conveeeenient! (Score:5, Insightful)

    by plover (150551) on Thursday April 10, 2014 @05:34PM (#46719147) Homepage Journal

    This flaw, plus heartbleed, makes it sound like all the conspiracy theorists got together for a secret cabal to convince the world that the NSA really is out to get everyone.

    • by ArcadeMan (2766669) on Thursday April 10, 2014 @05:46PM (#46719285)

      The NSA really is out to get everyone! Except themselves, of course. That's private.

    • by drolli (522659)

      it makes it even believable that the NSA "accidentally" records all infromation which it "accidentally" acquired. You know, in times when even google "accidentally" turns on the microphone and a security library has "accidentally" simple checks deactivated, you know they just "accicentally" forgot the "SELECT" statement.

  • by IonOtter (629215) on Thursday April 10, 2014 @05:41PM (#46719249) Homepage

    I talk to myself in different voices all the time, and engage in detailed plots to take over the world.

    If I haven't been picked up by the Men In White Coats by now, they aren't listening.

  • They are turning on the built in microphone? EXCELLENT! Google can sure do stuff I never imagined possible...

    I have an old cheap laptop (still running XP) that doesn't have a microphone built in so somehow I don't think they are doing anything of the kind, at least to me.

    • by noh8rz10 (2716597) on Thursday April 10, 2014 @07:22PM (#46720099)

      the news here is that the website doesn't turn on the microphone, google turns on the microphone and starts making transcriptions of everything you say. the website just accesses the transcriptions. why is goog recording everything? rhetorical question, they are looking for keywords that they can advertise against. did you just say "cancun"? they will give you hotel and airline ads.

      that is super creepy.

      • the news here is that the website doesn't turn on the microphone, google turns on the microphone and starts making transcriptions of everything you say. the website just accesses the transcriptions. why is goog recording everything? rhetorical question, they are looking for keywords that they can advertise against. did you just say "cancun"? they will give you hotel and airline ads.

        that is super creepy.

        I have been very interested to see what will cause a large number of people to stop using Google products. We have got to be getting close.

  • by DTentilhao (3484023) on Thursday April 10, 2014 @05:45PM (#46719273)
    "The security flaw in the Chrome browser emerges just as the world is confronting the frightening prospect of an undetectable bug known as Heartbleed, that makes millions of passwords vulnerable to being stolen".

    'It is being widely reported in the popular press as well as many technical sites that a Heartbleed exploitation "leaves behind no trace"`. That of course is not true [riverbed.com].

    SSL Server Test [ssllabs.com]
    • person reporting on toxicologist conference: "What we are dealing with here is a toxin that leaves no traces in the human body, making it impossible to find out the cause of death."

      Dwight: "FALSE! If you make a spectral analysis of ever particle of food and air that enters the body, and store them forever, you will find plenty of evidence for this supposedly undetectable poison!"

      I'd say they're both right, in a way. For most real world deployments, it's impossible to find out if they have been compromised b

    • The popular press incorrectly "reports" lots of thing that are just plain wrong. However heartbleed.com [slashdot.org] already explained that such detection was possible if an IDS were looking for the fingerprint:

      Can IDS/IPS detect or block this attack?

      Although the content of the heartbeat request is encrypted it has its own record type in the protocol. This should allow intrusion detection and prevention systems (IDS/IPS) to be trained to detect use of the heartbeat request. Due to encryption differentiating between le

  • This is how Batman is going to be able to find the Joker, and we're all going to be glad when he puts a stop to his plot to poison the whole city.
    • by roc97007 (608802)

      ...and then destroys the eavesdropping tool after he catches the bad guy. Really.

      • by stoploss (2842505)

        ...and then destroys the eavesdropping tool after he catches the bad guy. Really.

        ...which is how you know it's fantasy.

  • by Alain Williams (2972) <addw@phcomp.co.uk> on Thursday April 10, 2014 @05:48PM (#46719303) Homepage

    Get the wife & kids to learn and speak Navajo at home. It worked for the USA in World War II [wikipedia.org] so it can work for you too!

    • by mythosaz (572040)

      Crazy-aside. I'm in Arizona, and I used to work with one of the 100,000 or so people on the planet who speak Navajo, [hick voice] and let me tell you what [/hick] it's a baffling language.

      Not only does it requires sounds I can't make...
      http://en.wikipedia.org/wiki/N... [wikipedia.org]

      ...but I challenge anyone who isn't a linguist to read and even vaguely comprehend the Navajo language Wikipedia article. :/

      • by gman003 (1693318)

        ...but I challenge anyone who isn't a linguist to read and even vaguely comprehend the Navajo language Wikipedia article. :/

        Challenge accepted - I'm not a professional linguist, nor do I have even an iota of formal training in the field, but I read most of that just fine, only having to look up "head-marking language". Just don't ask me how to pronounce the ejective consonants... I still can't figure that out. The written language certainly looks complex and intimidating, but that's at least partly because they're using a slightly-modified Latin alphabet rather than one that was designed purely for the needs of their language, m

  • by ArcadeMan (2766669) on Thursday April 10, 2014 @05:48PM (#46719307)

    This kind of thing should push manufacturers to put hardware on-off switches for both the microphone and the webcam. A simple LED isn't enough, especially if those LEDs aren't directly tied to the power lines of the hardware anymore - I'm looking at you, Apple.

    • "Should", maybe. But you know it won't. It's a "not our problem" situation; Google's got egg on their face, not the hardware manufacturers. Only the people that actually look bad are going to have any pressure to fix the problem.
    • by SumDog (466607)

      Apple and Logitech.

    • by noh8rz10 (2716597)

      I put a little static cling sticker on the lens. it acts like a simple lenscap. I push it aside when I want to take a photo, move it back when I'm done. sometimes the simplest solutions are the best. haven't solved the microphone problem yet though...

  • by SmilingBoy (686281) on Thursday April 10, 2014 @05:53PM (#46719369)
    I assume that this is the same thing as reported a few months ago? If so, then it is not so simple: the attacking website needs to create a pop-under so that the microphone symbol is hidden. And pop-unders are difficult to achieve with Chrome with the popup blocker activated (as is usually the case).
  • by SuperKendall (25149) on Thursday April 10, 2014 @05:56PM (#46719401)

    Since Kinect also has a model where it's always listening in order to be able to execute commands, I wonder if there's any similar vulnerability from the Kinect web browser (not that many people probably use the Xbox One for browsing, but still).

    ---> Kendall

    • As far as I could tell, the browser gets no data from the Kinect other than for navigation.
    • by lgw (121541)

      I was never willing to connect the Kinect for my Xbone. But the joke's on me: I've since discovered I don't like playing games with a console controller, so the only reason I'll use my Xbone again is if there's a game that plays best through the Kinect. Still hoping for that.

      (I really wanted to like the Forza game, as I'm tired of my PC driving games where I just use the arrow keys, but even after a few hours I couldn't guess what laws of physics the game was modeling. Wow, what a stinker.)

  • Simple solution, make a personal "cone of silence" around your chair and wear a mask.
  • Precursor (Score:5, Funny)

    by FuzzNugget (2840687) on Thursday April 10, 2014 @06:10PM (#46719541)
    "Let's give web browsers direct access to hardware!", they said, "it'll be great!"
  • Actually, that's not the problem. The voices in my head are okay. The voices in your head are a bunch of assholes, however. Tell them to shut up, please.
  • Call me paranoid, but I always keep a blank plug in the mic jack, effectively disabling the mic input. When I ~want~ to use the mic, I will remove the plug. (I also have a cover over the camera....)

  • by Dahan (130247) <khym@azeotrope.org> on Thursday April 10, 2014 @07:15PM (#46720049)
    So, no thanks to TFA, I found the actual bug report [google.com], and it turns out the guy went public less than 2 days after reporting the bug to Google. Talk about impatient. And it's not true that "Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media". It's true that it was originally given a low-severity label at first, it was bumped to medium a day-and-a-half later, then up to high a few hours after that--around the same time that he went to reddit [reddit.com] about it. Not exactly sure if it was before or after, since I don't know the timezone of the times reported on Chrome's issue tracker, but one of the comments from Google says that they had already bumped the severity rating before they knew about him going public.
  • ...NSA spokeperson declared: "It's not a bug, it's a feature".
  • Remember that awkward interview with Zuckerberg where he was asked why some of t he FB privacy stuff was opt-out instead of opt-in.. ? I think a lot of companies have learnt from that exchange. Other than nerds, the average person won't care about this as well. Hell 7 years ago all of us would be highly suspicious of software that downloaded unverifiable executables and could update them behind your back like Chrome does now. In the same way where you don't have control over the UI experience of a website,

    • You want a browser to auto-update, though (or have it be handled by something like Windows Update, APT, yum etc.)

      If a browser doesn't update, your freedom and privacy is at risk and assuming the current story is a bug, that's how it gets fixed. Silly maybe but there's no way around it. Or use a browser that doesn't know about javascript, video, sound, mics etc.

  • I think this is the link of the bugreport in question:
    https://code.google.com/p/chro... [google.com]

    Seems legit. f#$!.. Google don't be evil. This attributes to being evil, regardless whether it happened knowingly.

  • I get a "Speak Now" bubble when I visit the demonstration website. Isn't that sort of a dead giveaway that something is amiss?

    I don't see this as a particularly big flaw unless there bubble is hidden in certain instances.

    -- Marcio

  • So they went from actively looking for bugs from users and paying for them to the traditional lying about them, downplaying them, and never patching them until someone blows the whistle on it.

PLUG IT IN!!!

Working...