Cyber attackers have found a way to use the speech recognition feature in Chrome to spy on ordinary users of the worldwide web. They managed to switch on a microphone using bugs in the Google Chrome browser. The exploit was discovered by one of the developers, who found it when working on a popular JavaScript Speech Recognition library. This allowed the developer to find many bugs in the browser and to come up with an exploit which combines all.
The developer was quick to report the exploit to Google’s security team in private back in September 2013. In less than a week, Google’s engineers have found the bugs, suggested fixes, and in the next five days a patch was ready. By the way, the developer’s find was nominated for Chromium’s Reward Panel.
The strange thing was that as time passed, the fix wasn’t released. When asked why, Google’s team answered that there was an ongoing discussion within the Standards group, to agree on the best course of action. In other words, the company couldn’t decide what to do, though there were not many options.
It’s 2014 already, but Google is still waiting for the Standards group to agree on the correct behavior, while leaving Chrome browser vulnerable. Indeed, all it takes is a user to visit a website exploiting speech recognition to offer some interesting new functionality.
Bookmarks