Chrome Bug Leaves Users Vulnerable To Eavesdropping

Why is Google waiting to fix a bug that allows malicious code to eavesdrop on Chrome users?
By Karoli KunsJanuary 22, 2014

While Google pounds away on the NSA and gives lots of money to libertarian organizations associated with the Kochs, this is happening:

While we’ve all grown accustomed to chatting with Siri, talking to our cars, and soon maybe even asking our glasses for directions, talking to our computers still feels weird. But now, Google is putting their full weight behind changing this. There’s no clearer evidence to this, than visiting Google.com, and seeing a speech recognition button right there inside Google’s most sacred real estate - the search box.

Yet all this effort may now be compromised by a new exploit which lets malicious sites turn Google Chrome into a listening device, one that can record anything said in your office or your home, as long as Chrome is still running.

Watch the video to see how it works.

The eavesdrop requires execution of malicious code, and Google has been aware of it for some time.

I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.)

Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report.

I was ecstatic. The system works.

But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour - “Nothing is decided yet.”

As of today, almost four months after learning about this issue, Google is still waiting for the Standards group to agree on the best course of action, and your browser is still vulnerable.

By the way, the web’s standards organization, the W3C, has already defined the correct behaviour which would’ve prevented this… This was done in their specification for the Web Speech API, back in October 2012.

What's up with that, Google? Are you just paying lip service to the NSA eavesdrops while listening in on your own users?

Can you help us out?

For nearly 20 years we have been exposing Washington lies and untangling media deceit, but now Facebook is drowning us in an ocean of right wing lies. Please give a one-time or recurring donation, or buy a year's subscription for an ad-free experience. Thank you.

Become a subscriber:
 
Make a donation:

If you don't mind the ads and would rather donate, please select one of the options below:

Kindest
Donate via PayPal
Via Snail Mail
payable to: Crooksandliars
528 Palisades Drive
Ste 548
Pacific Palisades, CA 90272

Explore more

Discussion

We welcome relevant, respectful comments. Any comments that are sexist or in any other way deemed hateful by our staff will be deleted and constitute grounds for a ban from posting on the site. Please refer to our Terms of Service for information on our posting policy.

What's Hot

Happening now

Latest from Blue America

Help Make America Blue
Mastodon