New information from Slashdot today exposes a bug in Google Chrome that means “malicious sites can activate your microphone, and listen in on anything said around your computer, even after you’ve left those sites. Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised.”
Wait…what? Yes, you read that right. Let’s look at that again slowly. There is a bug in your install of Google Chrome that allows anyone to activate your microphone and record anything that occurs around your computer. Even while you’re not on your computer. Do you understand the level of intrusion this entails? Your house is bugged. Right now. As you read this, your Chrome browser is wide open, and may be recording you. Before you throw the “conspiracy theory” flag, look at this.
Wanting speech recognition to succeed, I of course decided to do the right thing…
I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later my find was nominated for Chromium’s Reward Panel (where prizes can go as high as $30,000.)
Google’s engineers, who’ve proven themselves to be just as talented as I imagined, were able to identify the problem and fix it in less than 2 weeks from my initial report.
Did Google send that fix to Chrome users with an apology? No. Did they include it in an update? No. It’s been four months, and Google claims it’s still waiting for its “Standards Group” to “decide on the best course of action.” Which, as we all know, means “We aren’t changing a thing.”