Web developers can exploit bugs in Google’s Chrome browser to listen through a computer’s microphone — even if the browser is not open, according to a developer who publicly reported the vulnerability Wednesday.
The developer, Tal Ater, works at a tech start-up in Tel Aviv and also created a popular library for adding voice recognition to websites. While working on these tools, he found several bugs that together could be exploited to listen to people’s conversations near a computer surreptitiously. […]
Chrome users can ensure that malicious sites do not have access to their microphones by refusing to grant them access, which sites must request. They can see which sites they have given permission in a six-step process. (Click the Chrome menu; click “settings”; click “show advanced settings”; click “content settings” under “privacy”; click “manage exceptions” under “media”; view the list and rescind permission if desired.)
In a statement, Google said, “The security of our users is a top priority, and this feature was designed with security and privacy in mind.” […]
Mr. Ater said that he had no knowledge of anyone exploiting the bugs, and that he went public about the vulnerability only after alerting Google in September. He received a response from Google saying the company would make changes to fix it, but four months later he found the bugs still existed.
Google ultimately decided not to make all the changes because users must grant sites access to the microphone, and also because the voice recognition tool complies with web standards, according to a person with knowledge of the decision, who would only speak anonymously. Google is working on better visual cues to show that access to the microphone has been given, the person said.