Chrome Eavesdropping Bug Exposed; Researcher Endorses SCA

May 01, 2014 By Sharon Solomon

Google Chrome has come a long way since its initial release back in 2008. Almost 60% of the users today prefer the Google-made browser. But even this fast and responsive browser has its vulnerabilities. Hackers can now eavesdrop on unsuspecting users and convert their voice to text without prior consent.



Israeli software programmer and security expert Guy Aharonovsky exhibited this glaring security problem with the help of a unique voice recording game, which displays the problems caused by the loopholes left open by the Google developers.


Aharonovsky’s revelation involves an old speech API released with version 11 of the Chromium OS. While not as advanced and accurate as recent API’s released by Google, the aforementioned API’s security glitches make it an ideal hacking tool.


There are two major issues that made the exploit possible:


  1. The hacker can easily manipulate Chrome to achieve the desired results. Google has failed to limit the hacker-friendly parameters such as color, size and opacity. This makes it very hard to detect manipulations.
  2. Hackers can also enable the speech element by clicking anywhere on the screen. The unsuspecting victims have no idea that the feature has been enabled and the indication box can be obfuscated or rendered out of the screen.


Security expert Guy Aharonovsky spoke to Checkmarx about his latest finding.


Aharonovsky spoke to Checkmarx about the serious security issue, which he claims to have spotted by playing with the vulnerable feature for just a few moments. He expressed his deep disappointment with Google’s lack of interest in the issue, as he believes that the flaw can cause serious damage if embraced by the hacker fraternity.


According to the Israeli researcher, even disabling the microphone under the Chrome settings won’t mitigate this flaw. The hackers can capture conversations on all leading desktop operating systems.


“Source Code Analysis (SCA) can help mitigate these security issues,” Aharonovsky acknowledged. “The flaw is located in an old code with no direct “owners”, which is a common occurrence during software development. Automated testing is valuable as it can help catch old code regressions that programmers usually have no time to locate or deal with.”


[To Listen without Consent (live demo) – Abusing the HTML5 Speech]


As mentioned above, Google has not released any type of security patch to fix the problem. The internet giant claims that the voice-to-text functionality (recorded text files) is not a high-risk issue and also mentioned that the vulnerable feature turns itself off if no sound is detected for eight seconds after the last mouse click.


More than half of the world’s Web traffic goes through the “Chrome highway”, making this security glitch a serious risk for millions of users. Watch your clicks and browse safely.

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.