Chrome has a 'Voice Recognition' feature, that use your system's microphone and allows you to speak instead of typing into any text box, to make hands-free web searches, quick conversions, and audio translator also work with them.
Google’s browser is also not immune to bugs and this time the new bug discovered in Chrome is capable to listen and record your whole private conversations without your knowledge, by abusing the voice recognition feature.
While working on ‘Annyang’, a voice to text software for websites, the web developer 'Tal Ater' discovered a vulnerability that can be exploited and lets malicious sites to turn your Google Chrome into a listening device, that can record anything said around your computer, even after you’ve left those sites.
Whenever a user visits a speech recognition site that offers them to control the site by using their voice with speech recognition software, the Chrome asks permission to use a microphone, the user accepts. Chrome shows an icon in the notification area that your microphone is on which suppose to be turned off when you close that tab or visit another site.
All a malicious site has to do is get you to enable voice control for any legitimate purpose and shoot out a pop-under window disguised as an ordinary ad, to keep your microphone 'ON'. As long as it remains open, every noise you make will be uploaded to the hacker's server without asking any permission.
He also explained that just by using secure HTTPS connections don’t mean that the site is safe. Once you give the permission to access your microphone for the HTTPS site, Chrome will remember and won’t ask your permission again for that site.
Chrome Speech Recognition Exploit Demo
He reported the flaw to the Google security team in late September, 2013; they accepted the loophole, but never released the update to the desktop users.
A few weeks later, Tal Atar asked the Google Security Team about the reason for the delay in patch delivery, and they replied, “we are waiting for the web’s standards organization, the W3C group to agree on the best course of action”, and so your browser is still vulnerable.
After the public release of POC, the Google spokesperson said, "We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."
He has published the source code for the exploit to encourage Google to fix it and to maintain users' Internet security.