That’s a claim made by Israeli web developer Tal Ater in a blog post he published this week.
As the following video describes, all a malicious website has to do is trick you into enabling Chrome’s voice control feature for a legitimate purposes (such as dictation), and it can continue to secretly snoop upon your conversations even after you think you have long left the site.
The surveillance continues because the malicious website has opened a pop-under window, beneath your main browsing window and out of eyesight. If the pop-under window is disguised as an advert, victims may not realise that they have been potentially spied upon.
Chrome is supposed to display a flashing red dot in a page’s tab to signifying that a particular site is recording sound through the user’s microphone. However, from the above video it appears that the hidden pop-under window doesn’t display the visual reminder to the user.
Ater says that he told Google about the problem four months ago, he hasn’t received a bug bounty and a fix still hasn’t been rolled out to Chrome users.
And maybe we shouldn’t hold our breath for Google to properly resolve what seems to be a potentially serious security issue.
Gizmodo reports an official statement from Google that downplays the issue, and claims there is nothing wrong with Chrome:
The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.
Find out more about the vulnerability by visiting Tal Ater’s website.
What do you think? Do you think Chrome is endangering privacy by working in this way? Do you want Google to fix the “bug” or is it okay for them to leave it as-is? Leave a comment below and have your say.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.