Read time: 2 minutes

Chrome Bug Leaves Users Vulnerable To Eavesdropping

Why is Google waiting to fix a bug that allows malicious code to eavesdrop on Chrome users?

While Google pounds away on the NSA and gives lots of money to libertarian organizations associated with the Kochs, this is happening:

While we’ve all grown accustomed to chatting with Siri, talking to our cars, and soon maybe even asking our glasses for directions, talking to our computers still feels weird. But now, Google is putting their full weight behind changing this. There’s no clearer evidence to this, than visiting Google.com, and seeing a speech recognition button right there inside Google’s most sacred real estate - the search box.

Yet all this effort may now be compromised by a new exploit which lets malicious sites turn Google Chrome into a listening device, one that can record anything said in your office or your home, as long as Chrome is still running.

Watch the video to see how it works.

The eavesdrop requires execution of malicious code, and Google has been aware of it for some time.

I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.)

Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report.

I was ecstatic. The system works.

But then time passed, and the fix didn’t make it to users’ desktops. A month and a half later, I asked the team why the fix wasn’t released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour - “Nothing is decided yet.”

As of today, almost four months after learning about this issue, Google is still waiting for the Standards group to agree on the best course of action, and your browser is still vulnerable.

By the way, the web’s standards organization, the W3C, has already defined the correct behaviour which would’ve prevented this… This was done in their specification for the Web Speech API, back in October 2012.

What's up with that, Google? Are you just paying lip service to the NSA eavesdrops while listening in on your own users?

Can you help us out?

For 16 years we have been exposing Washington lies and untangling media deceit. We work 7 days a week, 16 hours a day for our labor of love, but with rising hosting and associated costs, we need your help! Could you donate $20 for 2020? Please consider a one time or recurring donation of whatever amount you can spare, or consider subscribing for an ad-free experience. It will be greatly appreciated and help us continue our mission of exposing the real FAKE NEWS!

More C&L Coverage

Discussion

New Commenting System

Our comments are now powered by Insticator. In order to comment you will need to create an Insticator account. The process is quick and simple. Please note that the ability to comment with a C&L site account is no longer available.

We welcome relevant, respectful comments. Any comments that are sexist or in any other way deemed hateful by our staff will be deleted and constitute grounds for a ban from posting on the site. Please refer to our Terms of Service (revised 3/17/2016) for information on our posting policy.

Please Do Not Use the Login Link at the Top of the Site.

In order to comment you must use an Insticator account. To register an account, enter your comment and click the post button. A dialog will then appear allowing you create your account.

We will be retiring our Crooks and Liars user account system in January, 2021.

Thank you.
C&L Team