Thursday, January 23, 2014

Developer exposes Chrome exploit allowing eavesdropping on offline conversations

If they haven't heard of this previously, or uncovered it themselves, you have to bet that the NSA is looking at this news story closely. On Wednesday, developer Tal Ater revealed an exploit for Google's Chrome browser that has to have the NSA salivating.

Essentially, miscreants can use your computer's microphone to listen in to your conversation. The problem is that once a website is given permission to use the device’s microphone in Chrome, it can continue to do so even after the original tab is closed.

The problem is Chrome remembers the permission state for an HTTPS-enabled website. So, a hacker, keeping in mind that fact, could open a pop-under window. Since the code is running in a different instance of the website than is in the foreground, none of Chrome's recording icons display.

Ater said he reported the issue to Google back in September of 2013. His bug was even was nominated for Chromium’s Reward Panel where prizes can rise to as much as $30,000. Less than two weeks after his bug report, company engineers said they had found the issue and fixed it. Why, then, is he posting about it? Because months later, they have not rolled the fix out to the wild.

When he asked why the fix hadn't been released, he was given a strange answer. The team said that there was still an ongoing discussion within the Standards group, to agree on the correct behavior, and that “Nothing is decided yet.”

When asked to comment by The Verge, a Google spokesperson said,
We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.
A video demo of the exploit is embedded.

No comments: