Toying around with voice-recognition apps, developer Tal Ater noticed something strange. Because of a quirk in Chrome's microphone settings, any site enabled for voice-recognition could use a pop-up window to keep recording almost indefinitely, hidden in the background. In Ater's demonstration, he closes the tab and continues talking, only to reveal a pop-up behind the main Chrome window, transcribing everything he says. It's an unsettling thought: could a malicious site use Chrome to listen in on users' offline conversations?
Ater first reported the bug in September
The core of the problem is Chrome's microphone permissions policy. Once you've given an HTTPS-enabled site permission to use your microphone in Chrome, every instance of the site has permission, even windows that pop up unnoticed in the background. And since the code is running in a different window, it won't set off any of Chrome's recording icons. By all appearances, the site won't be accessing the computer at all. The only sure defense is to manually revoke the microphone permission, which most users would never think to do.
As voice recognition becomes more common, the privacy problem grows
Ater first reported the bug to Google back in September, even coding up a proof-of-concept. The bug was nominated for a Chromium Reward, but while Google's engineers easily isolated the problem, their fix still hasn't made it to user desktops. Reached for comment, a Google spokesperson said, "we’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."
Beyond Chrome, there may be an even larger problem at work as the new class of apps require ever more invasive permissions. In-browser services like Hangouts are more convenient when users don't have to reauthorize the microphone for each session, but those blanket permissions can create a real privacy problem. And as the apps become more common, the privacy problem grows with them. For Ater, that's what makes the bug so serious. "Authorizing a site to use speech recognition will soon be as common as talking to Siri," he told The Verge. If you're worried about keeping control of your computer's microphone, that may be a troubling thought.
The post has been updated to include Google's response.