4 Month Old Exploit Still Not Fixed By Google

By | January 24, 2014

4 Month Old Exploit Still Not Fixed By GoogleMakes Chrome users vulnerable to a mic hack.

Following the recent reports about malicious extensions, it looks like Chrome users are yet to catch a breath. According to the recent report, Google has failed to fix a 4 month old exploit, which allows attackers to turn Chrome into a listening device (after users have given a permission to access the microphone for voice recognition purposes).

Since Chrome doesn’t ask for permissions to access your microphone in the future, Annyang, the guy who found the vulnerability, said that hidden banners or pop-ups can too be used as a way to spy on you, even when the browser was closed.

The good news? There aren’t any although it seems that Google did have an internal discussion about the problem yet failed to do anything else.

[Via: Neowin]

About (Author Profile)

Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.

Comments (10)

Trackback URL | Comments RSS Feed

  1. Jeffster says:

    Probably dicussing ways to use this to their advantage….

  2. Rafael Luik says:

    Somebody from Google already commented about this:

    The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.


    They don’t see it as a bug, and me neither. You gave permission to a domain to use your mic, be it in windows you forgot to close or not, it’s working as intended.

    Yes, Chrome may be listening — because you told it to

    • Jeffster says:

      chrome has never asked me for permissions to my microphone when I use google voice??

      • Rafael Luik says:

        I don’t know exactly what you’re referring to when you say “Google Voice” but I’m sure you must have allowed it one way or another.

        If it’s a native feature of Chrome you should know Windows classic desktop hasn’t a permission system, then you allowed full access to your hardware by simply installing Chrome.
        If it’s enabled through a plug-in it has no API permission system to allow/disallow either.

        If it’s in a web page you must have allowed *.google.com at some point.
        I don’t know how extensions are handled.

        • Jeffster says:

          Google automatically allows a lot of extensions and plugins to run in the background. What’s stopping them from running script like the above stated?

          • Rafael Luik says:

            Any extensions can access the mic? And still access it in the background with no page opened? And without your consent?

          • Jeffster says:

            ?? You might want to read what you just wrote. That made less than no sense to me. We went from script on a page to no page without consent??? Why would it ask me for permissions if there is no page open??

          • Rafael Luik says:

            Why would it ask me for permissions if there is no page open??

            So you’re agreeing with me that it asks for your permission one way or another…?

          • Jeffster says:

            the only thing I get asked permissions on is the silverlight plugin “pipelight”. Thats it.