Google Chrome Flaw Sets Your PC's Mic Live 152
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."
Flaw? (Score:5, Interesting)
Yeah right.
Re:Flaw? (Score:5, Insightful)
Yeah, the flaw is that it wasn't hidden well enough..
Re: (Score:3, Interesting)
WTF WHY IS CHROME TRANSCRIBING EVERYTHING I SAY??? are they looking for keywords to advertise against, like they do in gmail? the bug here is that some websites are gaining access to the transcriptions that are supposed to only go to google?
I admit that sometimes I have my tinfoil hat on, but this is absurdly beyond the scope of anything I could have imagined.
Re: (Score:2, Interesting)
WHY are you using a proprietary commercial suite to browse the web??
Captcha: nonsense
Re: (Score:1)
WHY are you using a proprietary commercial suite to browse the web??
Because of the way the people at Mozilla treated Brendan Eich.
Re: (Score:2)
So it's unreasonable to boycott Mozilla for hiring Eich, but reasonable to to boycott it for letting Eich go? Isn't that an inconsistent position?
Re: (Score:2)
He didn't say anything about the boycotters. It's possible for both boycotts to be reasonable but for Mozilla's actions to not be.
Re: (Score:3)
Also, I will no longer test the software I develop with their browser. In this way, I will contribute to making Firefox deliver a substandard user experience to those who do choose to support them.
How consistent are you?
Do you use Google Chrome? Google openly supports gay marriage, so you must not test your code in their browser either, right? So does Microsoft, so IE is right out.
Ah, you must be a Safari user! Oh, wait. Apple also openly supports gay marriage. I guess that can't be it.
So... with what browser DO you test your software? Are you the last HotJava user? That would be pretty wild.
Re: (Score:1)
I test all my web apps in Lynx. If it works there, it's ready to go out the door ;-)
Re: (Score:2)
What if homosexual couples adopt? Then your society marriage contract is still secure and everybody is good, yes?
Google Voice Search Isn't On By Default (Score:2)
Re:Google Voice Search Isn't On By Default (Score:5, Informative)
they say "To improve processing of your voice input, Google may record a few seconds of ambient background noise in temporary memory at any time.". I take this to mean, they are recording constantly into a buffer at all times.
Re: (Score:2)
Has anyone noticed that on stories about Google, if you post a negative comment almost immediately you get negative banged? Over time other readers pos bang you back up. This is probably the 5-10th time I've seen this happen. They must have PR guys trawling for this stuff.
Re: (Score:3, Insightful)
But why is the browser accessing the microphone in the first place?
Google had to have put this in on purpose (Score:1, Insightful)
An "accidental bug" which enables not only the microphone (even when it's supposed to be turned off) but text to speech conversion? No way.
If anyone can find an honest prosecutor, criminal prosecution is in order.
Re:Google had to have put this in on purpose (Score:5, Informative)
Of course it's built in, it's part of the "ok google" keyword that Google Now (recently added to the Chrome browser) uses to detect an incoming command. The flaw is that transcript is kept for any length of time and that it's available to websites being viewed.
Re:Google had to have put this in on purpose (Score:5, Funny)
That's why it's always more secure to run software 6 or more versions out of date. No zero-day bugs for me!
Re: (Score:2)
An "accidental bug" which enables not only the microphone (even when it's supposed to be turned off) but text to speech conversion? No way.
Did you even read the summary? It offers access only to the text-to-speech conversion output, not the microphone itself. (But yes, that was my first thought, and no, this should still not be happening.)
Re:Google had to have put this in on purpose (Score:4, Informative)
speech-to-text
Not sure why everybody keeps writing text-to-speech even though that makes no logical sense in this context :)
Re: (Score:2)
and i bet google gets a text stream of speech to text data of what people are saying
i'll have to test this
Re: (Score:2)
People can get access to horrible transcripts that vaguely resemble words you said...or random noise it decides are words.
Re: (Score:2)
So, your privacy hinges on the fact that Google programmers remain incompetent?
What microphone? (Score:1)
I haven't had a microphone connected to my computer since about 2001.
Re: (Score:3)
No laptop? The mid 1990s called. They want to know how you missed the last 20 years.
How conveeeenient! (Score:5, Insightful)
This flaw, plus heartbleed, makes it sound like all the conspiracy theorists got together for a secret cabal to convince the world that the NSA really is out to get everyone.
Re:How conveeeenient! (Score:5, Insightful)
The NSA really is out to get everyone! Except themselves, of course. That's private.
Re:How conveeeenient! (Score:4, Insightful)
What the NSA does with itself in the privacy of the its comically failed oversight process, is its own business.
Re: (Score:2)
It's not the NSA, it's really /shit/ programmers. We're looking for you :p
Re:How conveeeenient! (Score:4)
The NSA really is out to get everyone! Except themselves, of course. That's private.
If only there were some way to rein them in ...
I've got it! "Progressives" could control the Executive branch for over five years. I'd love to see the NSA pull this stuff then!
Re: (Score:2)
Colorless green ideas sleep furiously. [wikipedia.org]
Re: (Score:1)
Echo chamber groupthink. You guys are a minority.
Re: (Score:2)
So? People who resisted Hitler were in the minority, too. That just made it more valiant, not less worthwhile. In contrast, do you know what even 7 billion times zero adds up to? I think you might, deep inside, hence
http://en.wikipedia.org/wiki/A... [wikipedia.org]
^ I love how you come with that right after complaing about an "echo chamber", too.
Re: (Score:3)
I could have made the exact same point using a million comparisons, but I like to stick with Hitler just to give people like you something to get excited about ^^
Re: (Score:2)
Actually, the response was "Echo chamber groupthink. You guys are a minority." Apologies for picking up on the undertones and jumping right to the meat of it.
Huh, I guess reading and thinking does not come easy for you. Keep trying!
Re: (Score:2)
it makes it even believable that the NSA "accidentally" records all infromation which it "accidentally" acquired. You know, in times when even google "accidentally" turns on the microphone and a security library has "accidentally" simple checks deactivated, you know they just "accicentally" forgot the "SELECT" statement.
Re: (Score:2)
I hope they like belches and farts 'cause that's most of what goes on in front of my laptop.
Re: (Score:2)
I hope they like the Vogon poetry [wikipedia.org] I leave on repeat when not around my computer.
"Oh freddled gruntbuggly,
Thy micturations are to me
As plurdled gabbleblotchits on a lurgid bee.
Groop, I implore thee, my foonting turlingdromes,
And hooptiously drangle me with crinkly bindlewurdles,
Or I will rend thee in the gobberwarts
With my blurglecruncheon, see if I don't!"
Re: (Score:1)
Oh stop it. You want to see how bad a news aggregation site can be? Go check out this "vox.com" site, put together by people from the NYT and other big-time media outfits. It's the ugliest thing I've ever seen, works like shit, and is insulting to boot. It's like Buzzfeed for a new generation of hipsters who hate Buzzfeed. They must have read somewhere that headlines get more hits if you put a number in them, like, "17 Ways To Watch Game of Thrones More Effectively" or, "9 Secrets To Having a Happy Lif
Don't Worry, Folks. (Score:5, Funny)
I talk to myself in different voices all the time, and engage in detailed plots to take over the world.
If I haven't been picked up by the Men In White Coats by now, they aren't listening.
Re: (Score:2)
And, the drone's payload of missiles.
Now, I must re-engage my cloaking device and hope the missiles can't follow the heat signature from my chimney.
Oh really.. EXCELLENT NEWS! (Score:2)
They are turning on the built in microphone? EXCELLENT! Google can sure do stuff I never imagined possible...
I have an old cheap laptop (still running XP) that doesn't have a microphone built in so somehow I don't think they are doing anything of the kind, at least to me.
Re:Oh really.. EXCELLENT NEWS! (Score:5, Interesting)
the news here is that the website doesn't turn on the microphone, google turns on the microphone and starts making transcriptions of everything you say. the website just accesses the transcriptions. why is goog recording everything? rhetorical question, they are looking for keywords that they can advertise against. did you just say "cancun"? they will give you hotel and airline ads.
that is super creepy.
Re: (Score:2)
the news here is that the website doesn't turn on the microphone, google turns on the microphone and starts making transcriptions of everything you say. the website just accesses the transcriptions. why is goog recording everything? rhetorical question, they are looking for keywords that they can advertise against. did you just say "cancun"? they will give you hotel and airline ads.
that is super creepy.
I have been very interested to see what will cause a large number of people to stop using Google products. We have got to be getting close.
Undetectable Heartbleed bug? (Score:3)
'It is being widely reported in the popular press as well as many technical sites that a Heartbleed exploitation "leaves behind no trace"`. That of course is not true [riverbed.com].
SSL Server Test [ssllabs.com]
Re: (Score:3)
person reporting on toxicologist conference: "What we are dealing with here is a toxin that leaves no traces in the human body, making it impossible to find out the cause of death."
Dwight: "FALSE! If you make a spectral analysis of ever particle of food and air that enters the body, and store them forever, you will find plenty of evidence for this supposedly undetectable poison!"
I'd say they're both right, in a way. For most real world deployments, it's impossible to find out if they have been compromised b
Re: (Score:2)
You mean NSW, which is short for NSFW, which stands for New South Fucking Wales, right?
You have a point, but I think they generally use their ill-gained information to exploit sheep rather than to help people protect internet infrastructure :(
Re: (Score:2)
The popular press incorrectly "reports" lots of thing that are just plain wrong. However heartbleed.com [slashdot.org] already explained that such detection was possible if an IDS were looking for the fingerprint:
Don't worry (Score:2)
Re: (Score:2)
Re: (Score:2)
...which is how you know it's fantasy.
Temporary workaround (Score:5, Funny)
Get the wife & kids to learn and speak Navajo at home. It worked for the USA in World War II [wikipedia.org] so it can work for you too!
Re: (Score:3)
Crazy-aside. I'm in Arizona, and I used to work with one of the 100,000 or so people on the planet who speak Navajo, [hick voice] and let me tell you what [/hick] it's a baffling language.
Not only does it requires sounds I can't make...
http://en.wikipedia.org/wiki/N... [wikipedia.org]
Re: (Score:2)
Challenge accepted - I'm not a professional linguist, nor do I have even an iota of formal training in the field, but I read most of that just fine, only having to look up "head-marking language". Just don't ask me how to pronounce the ejective consonants... I still can't figure that out. The written language certainly looks complex and intimidating, but that's at least partly because they're using a slightly-modified Latin alphabet rather than one that was designed purely for the needs of their language, m
Re: (Score:2)
I would tell you to use American Sign Language, but then They would just turn on the camera.
Hardware off switches (Score:3)
This kind of thing should push manufacturers to put hardware on-off switches for both the microphone and the webcam. A simple LED isn't enough, especially if those LEDs aren't directly tied to the power lines of the hardware anymore - I'm looking at you, Apple.
Re: (Score:2)
Re: (Score:1)
Yes. As soon as some new phone is released there's always web sites that rip it apart instantly.
They can add "Verified LED is hardware tied to powering the mic." to their report.
Re: (Score:2)
Re: (Score:2)
Apple and Logitech.
Re: (Score:3)
I put a little static cling sticker on the lens. it acts like a simple lenscap. I push it aside when I want to take a photo, move it back when I'm done. sometimes the simplest solutions are the best. haven't solved the microphone problem yet though...
Re: (Score:2)
I put a little static cling sticker on the lens.
They are working on bypassing that particular security measure:
https://medium.com/the-physics... [medium.com]
Re: (Score:2)
+1 very cool, thanks
Re: (Score:2)
The only thing you should push lawmakers towards is a high cliff so they take a flying leap and protect the country from their idiocy and malfeasance. And there are plenty ways to disable a microphone and a little piece of black tape takes care of the camera problem. If you need the government or a corporation to protect your privacy then you really don't deserve any.
Re: (Score:2)
It's time to turn off the computer and find a nice place with neighbors at least a mile away.
You're only just now realizing that any communication can be intercepted?
Re: (Score:2)
moto x already does continuous audio recording and sends it to google. it has a dedicated cpu core just for that. and people are very happy with the functionality :/
Re: (Score:3)
Please [diety], let this guy be watching bull riding.
Re: (Score:2)
Please [diety], let this guy be watching bull riding.
He is, but in my opinion it makes the furious masturbation more disturbing, not less.
Old news? (Score:3)
Re: (Score:2)
Re:Old news? (Score:4, Interesting)
Kinect also listening? (Score:3)
Since Kinect also has a model where it's always listening in order to be able to execute commands, I wonder if there's any similar vulnerability from the Kinect web browser (not that many people probably use the Xbox One for browsing, but still).
---> Kendall
Re: (Score:2)
Re: (Score:2)
I was never willing to connect the Kinect for my Xbone. But the joke's on me: I've since discovered I don't like playing games with a console controller, so the only reason I'll use my Xbone again is if there's a game that plays best through the Kinect. Still hoping for that.
(I really wanted to like the Forza game, as I'm tired of my PC driving games where I just use the arrow keys, but even after a few hours I couldn't guess what laws of physics the game was modeling. Wow, what a stinker.)
Trust no one (Score:1)
Precursor (Score:5, Funny)
Re: (Score:2)
Yeah, how dare they take input from the keyboard and mouse!
It's still through a driver (Score:4)
Re: (Score:2)
Paranoid? (Score:1)
Call me paranoid, but I always keep a blank plug in the mic jack, effectively disabling the mic input. When I ~want~ to use the mic, I will remove the plug. (I also have a cover over the camera....)
He only gave Google 2 days before going public? (Score:5, Informative)
In a related news... (Score:2)
Opt-out is the new default... (Score:1)
Remember that awkward interview with Zuckerberg where he was asked why some of t he FB privacy stuff was opt-out instead of opt-in.. ? I think a lot of companies have learnt from that exchange. Other than nerds, the average person won't care about this as well. Hell 7 years ago all of us would be highly suspicious of software that downloaded unverifiable executables and could update them behind your back like Chrome does now. In the same way where you don't have control over the UI experience of a website,
Re: (Score:2)
You want a browser to auto-update, though (or have it be handled by something like Windows Update, APT, yum etc.)
If a browser doesn't update, your freedom and privacy is at risk and assuming the current story is a bug, that's how it gets fixed. Silly maybe but there's no way around it. Or use a browser that doesn't know about javascript, video, sound, mics etc.
Chromium issuetracker / bugtracker link (Score:2)
I think this is the link of the bugreport in question:
https://code.google.com/p/chro... [google.com]
Seems legit. f#$!.. Google don't be evil. This attributes to being evil, regardless whether it happened knowingly.
Re: (Score:2)
Sorry for the bad link, i meant
https://code.google.com/p/chro... [google.com]
"Speak Now" bubble give it away (Score:2)
I get a "Speak Now" bubble when I visit the demonstration website. Isn't that sort of a dead giveaway that something is amiss?
I don't see this as a particularly big flaw unless there bubble is hidden in certain instances.
-- Marcio
good job (Score:2)
Re: (Score:3)
WTF have I dicking miss loopy cotton for eight reconed to take this site to work?
Click frenzy! Production x777 for 13 seconds (Score:2)