Chrome Bug Leaves Users Vulnerable To Eavesdropping

Why is Google waiting to fix a bug that allows malicious code to eavesdrop on Chrome users?

While Google pounds away on the NSA and gives lots of money to libertarian organizations associated with the Kochs, this is happening:

While we’ve all grown accustomed to chatting with Siri, talking to our cars, and soon maybe even asking our glasses for directions, talking to our computers still feels weird. But now, Google is putting their full weight behind changing this. There’s no clearer evidence to this, than visiting Google.com, and seeing a speech recognition button right there inside Google’s most sacred real estate - the search box.

Yet all this effort may now be compromised by a new exploit which lets malicious sites turn Google Chrome into a listening device, one that can record anything said in your office or your home, as long as Chrome is still running.

Watch the video to see how it works.

The eavesdrop requires execution of malicious code, and Google has been aware of it for some time.

I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.)

Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report.

I was ecstatic. The system works.

But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour - “Nothing is decided yet.”

As of today, almost four months after learning about this issue, Google is still waiting for the Standards group to agree on the best course of action, and your browser is still vulnerable.

By the way, the web’s standards organization, the W3C, has already defined the correct behaviour which would’ve prevented this… This was done in their specification for the Web Speech API, back in October 2012.


↓ Story continues below ↓

What's up with that, Google? Are you just paying lip service to the NSA eavesdrops while listening in on your own users?

About karoli

karoli's picture
Card-carrying member of we, the people.

Comments

We welcome relevant, respectful comments. Please refer to our Terms of Service for information on our posting policy.