Forrester Report: Why to automate AppSec now.

Chrome Eavesdropping Bug Exposed; Researcher Endorses SCA

Google Chrome has come a long way since its initial release back in 2008. Almost 60% of the users today prefer the Google-made browser. But even this fast and responsive browser has its vulnerabilities. Hackers can now eavesdrop on unsuspecting users and convert their voice to text without prior consent.



Israeli software programmer and security expert Guy Aharonovsky exhibited this glaring security problem with the help of a unique voice recording game, which displays the problems caused by the loopholes left open by the Google developers.


Aharonovsky’s revelation involves an old speech API released with version 11 of the Chromium OS. While not as advanced and accurate as recent API’s released by Google, the aforementioned API’s security glitches make it an ideal hacking tool.


There are two major issues that made the exploit possible:


  1. The hacker can easily manipulate Chrome to achieve the desired results. Google has failed to limit the hacker-friendly parameters such as color, size and opacity. This makes it very hard to detect manipulations.
  2. Hackers can also enable the speech element by clicking anywhere on the screen. The unsuspecting victims have no idea that the feature has been enabled and the indication box can be obfuscated or rendered out of the screen.


Security expert Guy Aharonovsky spoke to Checkmarx about his latest finding.


Aharonovsky spoke to Checkmarx about the serious security issue, which he claims to have spotted by playing with the vulnerable feature for just a few moments. He expressed his deep disappointment with Google’s lack of interest in the issue, as he believes that the flaw can cause serious damage if embraced by the hacker fraternity.


According to the Israeli researcher, even disabling the microphone under the Chrome settings won’t mitigate this flaw. The hackers can capture conversations on all leading desktop operating systems.


“Source Code Analysis (SCA) can help mitigate these security issues,” Aharonovsky acknowledged. “The flaw is located in an old code with no direct “owners”, which is a common occurrence during software development. Automated testing is valuable as it can help catch old code regressions that programmers usually have no time to locate or deal with.”


[To Listen without Consent (live demo) – Abusing the HTML5 Speech]


As mentioned above, Google has not released any type of security patch to fix the problem. The internet giant claims that the voice-to-text functionality (recorded text files) is not a high-risk issue and also mentioned that the vulnerable feature turns itself off if no sound is detected for eight seconds after the last mouse click.


More than half of the world’s Web traffic goes through the “Chrome highway”, making this security glitch a serious risk for millions of users. Watch your clicks and browse safely.

Jump to Category