Is Chrome letting malicious websites spy on your conversations?

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Microphone A feature built into the popular Chrome web browser can be exploited to allow remote websites to secretly spy upon your conversations, and record everything that you say.

That’s a claim made by Israeli web developer Tal Ater in a blog post he published this week.

As the following video describes, all a malicious website has to do is trick you into enabling Chrome’s voice control feature for a legitimate purposes (such as dictation), and it can continue to secretly snoop upon your conversations even after you think you have long left the site.

Chrome Bug Lets Sites Listen to Your Conversations

Sign up to our free newsletter.
Security news, advice, and tips.

The surveillance continues because the malicious website has opened a pop-under window, beneath your main browsing window and out of eyesight. If the pop-under window is disguised as an advert, victims may not realise that they have been potentially spied upon.

Chrome is supposed to display a flashing red dot in a page’s tab to signifying that a particular site is recording sound through the user’s microphone. However, from the above video it appears that the hidden pop-under window doesn’t display the visual reminder to the user.

Ater says that he told Google about the problem four months ago, he hasn’t received a bug bounty and a fix still hasn’t been rolled out to Chrome users.

And maybe we shouldn’t hold our breath for Google to properly resolve what seems to be a potentially serious security issue.

Gizmodo reports an official statement from Google that downplays the issue, and claims there is nothing wrong with Chrome:

The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.

Find out more about the vulnerability by visiting Tal Ater’s website.

What do you think? Do you think Chrome is endangering privacy by working in this way? Do you want Google to fix the “bug” or is it okay for them to leave it as-is? Leave a comment below and have your say.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.