
Chrome Bugs Allow Sites to Listen to Your Private Conversations - lelf
http://talater.com/chrome-is-listening/
======
program
Let's read the spec: [https://dvcs.w3.org/hg/speech-api/raw-
file/tip/speechapi.htm...](https://dvcs.w3.org/hg/speech-api/raw-
file/tip/speechapi.html#security)

"To minimize the chance of users unwittingly allowing web pages to record
speech without their knowledge, implementations _must_ abort an active speech
input session if the web page _lost input focus to another window or to
another tab_ within the same user agent."

Given this the actual Chrome implementation is wrong.

~~~
falcolas
Hmm. Thinking about how I use google hangouts, this "standardized" behavior
would actually make hangouts virtually useless. For example, I would be unable
to share my screen in any meaningful fashion, or hold a conversation while
multitasking (I program as part of a distributed team, so I do both
frequently).

I'm not entirely sure this spec creates a useful environment for webapp
developers; in fact this limitation would encourage non-standardized
implementations so they could actually be used by normal people.

Interesting to think about, either way.

~~~
kelnos
We're talking about the Speech API here, which isn't something an app like
Hangouts would use. WebRTC, which is more suitable, does not have that
restriction codified into its spec.

------
nthj
tl;dr: When you explicitly grant a website access to your microphone, the site
may keep listening in a popunder window after you close the original tab.

~~~
yincrash
without any visual cue that it is listening, while normal chrome tabs show a
visual cue.

~~~
nthj
Fair enough. When I saw the title I first thought any random website could
start silently listening, NSA-style—the real story isn't nearly that crazy.

~~~
coldtea
Well, given how Chrome's "implementation" works, all it takes is a Chrome
exploit for that to happen too...

------
pasbesoin
Progressions:

Browser --> Sandbox (within browser) --> "Operating system" (within browser)

Pages --> (Dynamic) Ads, "tracking", "web apps" \--> Pervasive, intrusive
monitoring via exploitation

If you are going to turn your browser into an operating system, you'd better
get the security right -- and spend some time reflecting on the ongoing Java
fiasco.

And maybe stop calling it a "browser" \-- unless you mean that I'm now the one
being browsed.

------
uptown
If you're interested in blocking microphone access, you should be able to do
so using this user-script:

[http://userscripts.org/scripts/show/110566](http://userscripts.org/scripts/show/110566)

And TamperMonkey to enable the script:

[https://chrome.google.com/webstore/detail/tampermonkey/dhdgf...](https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo?hl=en)

~~~
magicalist
You can just go to settings and search for "Microphone" (or look in "content
settings"), then switch it from "Ask me" to "Do not allow".

~~~
rdudek
^ This!

No need for 3rd party scripts to do the same, especially all the fiasco going
around with adware folks getting into extensions.

------
Sven7
Unrelated but anyone know when the Speech API gets into other browsers? Is
Mozilla going to be hosting recognition servers?

------
taivare
I hear Google is coming out with 'Goggles' they record your surroundings in
both audio and video.

------
Spone
NSA backdoor uncovered!

------
ndesaulniers
bug, or feature? nudge nudge, wink wink.

------
fem
His demonstration video is suspect: he hides a popup of the same domain
authorized to access the mic behind the main chrome window, which is
convenient because in real life popup windows usually appear in the foreground
and are quite noticeable, if they weren't blocked by chrome’s popup blocker
all together.

He is misrepresenting his personal disagreements about UI/UX decisions as
exploits or bugs in chrome which is disingenuous, especially as he edits his
video to hide the safeguards (mainly the popup blocker).

Also the speech API does not send audio to authorized site only machine
transcription of the audio which is not as pertinent, which also speaks to the
misrepresentation of the author.

~~~
poopsintub
I've experienced pop-ups occurring that go behind. It's not like you don't
notice it or anything though. Should this be considered a chrome security
flaw? You did, after-all, grant privileges to that site. Revoke and report the
site?

~~~
sil3ntmac
I would say yes. Pop-unders should be blocked, and modern browsers work pretty
hard to, but it is often viewed as a "low priority" sec issue, and so
workarounds are found, ignored, used in the wild, and patched. Here is one
implementation, I have seen working versions up to Chrome ~30:

[https://github.com/tuki/js-popunder](https://github.com/tuki/js-popunder)

Another serious security issue is when the popunder waits for a while as the
parent frame navigates itself to e.g. "java.com", then the child navigates the
parent to a malicious drive-by download. This can make it appear to "spoof" a
drive-by download. This attack vector has been known and ignored forever (I
think Zalewski published about this years back). IE9 and 10 actually do a good
job preventing this, but I know it works in most modern browsers.

