Feeds

back to article Chrome lets websites secretly record you?! Google says no, but...

A design flaw in the Chrome browser allows malicious websites to use your computer's microphone to eavesdrop on you, one developer has claimed, although Google denies this is the case. "Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised," Israeli …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Dodgy?

the language that mandates that behavior was removed from the spec in a later errata

I'm usually all for being suspicious of Google, but I'd much rather focus a bit more on the W3C : the original mandated feature was addressing a clear privacy issue and yet it was just removed. Is the W3C's reasoning documented anywhere?

6
0

Re: Dodgy?

I'm guessing this was changed to allow the use case of; people continuing to use mic input (having a conversation, etc.) while browsing other web pages. Like how you can talk to someone on Skype without having to have the Skype window visible and in-focus all the time.

Perhaps browsers should prevent cam/mic input starting on non-focussed pages and, once active, ask the user if they want to continue sending if the input-receiving page is de-focused.

10
0
Silver badge

Re: Dodgy?

I think you're right about the case for continuing use of the mic, hence the original wording could be considered to be too prescriptive.

Your suggested solution seems a good one, so I'm puzzled that the W3C chose to pull the whole issue, rather than suggest something on those lines.

1
0

Re: Dodgy?

Perhaps browsers should prevent cam/mic input starting on non-focussed pages and, once active, ask the user if they want to continue sending if the input-receiving page is de-focused.

You propose a good solution, but perhaps it may be simler to make it inescapably, blindly obvious, even to a user, that *a* tab is using the mic. In most cases people will only be expecting to use the mic on one tab, so when the title bar stays red (or whatever the signal is), they should take that as a prompt to check for other windows.

0
0
Bronze badge
Pint

Re: Dodgy?

Google says The security of our users is a top priority

Excuse me while I laugh so hard my keyboard shorts out from the drool.

A pint for having the balls to say such a statement.

6
2
Bronze badge
IT Angle

Re: Dodgy?

I'm still using Chrome v26.0.1410 from March 2013. Updates are blocked by Outpost Firewall.

Chrome v26 does not have access to my camera or microphone. I don't get a nag screen at startup to "log into Chrome".

0
0
Bronze badge

Re: Dodgy? I have an idea...

If you can afford to (and are willing to help the sagging, flagging, lagging hardware industry sales), buy a second, dedicated conferencing device. Why should we allow unmonitored access to the internal private contents of our devices?

Even if it is a valid reason to keep the mic running while the user flips through tabs looking for content, the user should NEVER be deprived of knowing factually the status of the mic. It should not be masked, obscured, hidden, or otherwise removed from the user's immediate awareness ability.

Part of me wonders whether google got influenced via a national security letter, or got pressured by a committee to "enable" other, side industry players a way to make legit products. But, since it DOES appear fishy, I for now will presume various security agencies or wanton recklessness within google allowed this to happen.

It is insulting, repugnant, and immoral to do or to allow something to depreive the user of the awareness that he or she is being or is capable of being monitored so easily.

And, people anywhere I go wonder why I have electrical tape covering my tablet, phone, and laptop cameras. Plug up the mic with wax, and if anyone demands you conference with them when you cannot afford extra hardware devoid of private contents, tell them to toss off. Rationally make them understand that while you cannot prevent being physically mugged, you have NO obligation to facilitate electronic, remote ransacking by ANYone. If they scoff, they despise or disrespect you and your convictions/sensibilities. Why work with or facilitate or enable such people?

Skype also can be hot-mic'd, I think, on conference room machines. My previous employer thought I was paranoid when I would bring up such things when setting up the dedicated Skype-enabled computer. I would suggest "doming" the machine, and that just pulling out the extended mic cable was not nearly enough to prevent the risk of confidential meetings in the Board Room being picked up by a wired-in remote observer. To be a little ominous, I mentioned laser-capture of voice, too. I guess such information stymies and cripples some companies. Honest ones, though, only have to worry about the risk of competitive information getting out, but at least not worry about non-existent corrruption or malfeasance.

Users should have the right to an electronic "Face Toward Enemy" capability, "Enemy" being ANYone who surreptitiously penetrates the firewall -- poke them hard and finger them to hell and grep their asses to the trade rags. If you are a bona fide crim under investigation, and legit, verifiable warrants are properly executed, you're SOL. But, those who are not known to be in criminal or uncouth activities should have the right and means to thwart unwarranted, warrantless, and criminal observation. Why no analogy to good ole 'Merkun football? Screw one-sidedness. Fair's fair. Again, as long as you're not protecting crims or corrupt officials against non-crims.

0
2

Spies

Given that Google is the public-facing arm of the NSA, I think their reluctance to deal with this issue is quite understandable. *They* probably see it as a *good thing*.

22
15
Bronze badge

Re: Spies

Upvoted to outnumber your downvotes because all the US govt sites I now (don't) use (that often) are heavily Googlified. I don't know why they (who or whatever they are) had to screw with the Smithsonian but they have really ****ed that one up.

3
3

Re: Spies

If they can deliver malware to an air-gapped system underneath a mountain in Iran, I'm fairly sure they can listen in on your webcam without having to ask Chrome to be a middle man.

6
0

Re: Spies

"Given that Google is the public-facing arm of the NSA..." If find that sort of statement utterly baffling. Yes, surveillance, broadly defined, is a business model for Google (and many, many others); we know this. And yes, this results in aligned goals between some private-sector players (although certainly not just Google) and public-sector espionage and law-enforcement agencies.

But to say that Google is "the public-facing arm of the NSA" is such an oversimplification of an extraordinarily complex set of circumstances. I guess I find it annoying (and completely unhelpful) that people think about these issues in such simplistic terms.

0
0

Street View

It's not like this sort of thing never happened before, eh

5
1
Silver badge

Simple

Configure ALSA to tell Chrome that the tuner is a microphone, and tune in to Al Jazeera.

8
0
Silver badge

Or just don't use chrome.

20
0
Anonymous Coward

Or just don't use chrome.

Agree.

You're using software and services of a company whose main income is from data gathering and you didn't see this one coming? Evidently there is still one born every minute...

18
5
Bronze badge

Errr yes, because google are gathering this mic data? Talk about jumping on the privacy bandwagon, im all for serious discussion around the issue but saying google have allowed this so that they can intercept your microphone is bollocks of the highest order! For a start, it has to be a website your visiting that receives the mic data, you have to give this site permission and then you have to not notice a popup to even have this happen to you. Hardly going to help Google is it. The of course there is the fact that they are standards compliant, if the standards said they should not allow this and they did, then you may have a complaint but they don't. What I want from a browser is a standards based approach, not them to do what ever they want.

8
7
Silver badge

I agree, that's why I use chromium.

0
0

All that chrome

I never used chrome, not that other options are all safe, but with chrome, it is unsafe by policy.

For an innocent (?) explanation, the hidden mic could be the need of the hands free feature.

Anyway, if you have downloaded any software for an OS which is not in a walled garden, there is always a risk of snooping, using social engineering. And since Chrome is being projected as an OS itself where websites are essentially apps, this anarchy is being extended inside the walls as well.

2
0
Bronze badge

Re: All that chrome

Oh, come on, people! IIRC, even well before Chrome came into existence, surreptitious voice collection against the computer mic has been reported, IIRC, before 1997. It just wasn't talked about much in the public. Besides, the computer is just a big, fancy relfector and collector, and can be manipulated as an antenna -- transceiver, if you will -- by anyone with the proper tools and skills.

All this means nowo is that when anyone is concered about privacy, wrap up the devices in matter what will disrupt smooth, useful capture of pulses. I dunno whether is sound mounting, or mounting on rocks or semi-wadded aluminium wrap, or hanging reflectors and white noise balls in a room while a fan randomly nutates/rotates to inject weird perturbations. I dunno. But, I bet wapping the phone and leaving it in the pocket still allow bone-retransmission to some extent, even if only 7 or 10 feet. Line enough public restrooms and transit vehicles and keep a current inventory, iti might be possible to hot-track anyone whatever state. (status) a phone is in.

Don't forget lasers and keystrokes.... Every tool in the kit ensures some amount of collection and overlap...

So, if you're into kinky sex, cheating, or just selling proprietary information, and can be identified to be in one or more of those categories, and frequent hotels, you better not take your phone into the room. Better yet, change up your meeting sites, and spend 4 hours trying to ditch tails and avoid f/r cams, hahahah. All this release is doing is "normalizing" most people. Artists in the trade of info dealing probably have skills and tools to thwart most "gotcha" Kodak moments that might otherwise land them in jail.

Might make for an interesting movie, or better yet, a 19-episode serial production...

0
0

An OS function?

Is it getting to the point where a request to enable AV input devices (microphones, cameras, fingerprint readers etc.) by any application should be caught by the OS, and a confirm dialog be presented to the user followed by a system tray icon or more obvious visual indication that things are being recorded?

3
0
Anonymous Coward

Re: An OS function?

Except you visit 50s or 100s of sites in a single day VS 5s or 10s of apps a month.

0
0

Re: An OS function?

True. OTOH, I usually expect/want exactly zero of these sites to use the mic or cam. Clicking OK for the one or two exceptions per year I can handle.

5
0

Chrome

I have to use Chrome at work, all the others are blocked, no really.

I use FF at home

1
0
Silver badge

Problem solved.

An even more complete solution would be to swtich the computer off and go outside.

Facetiousness aside, disabling this feature is very secure but not very forward looking. The voice and video apis in the new web standards are an important part of providing proper, cross browser, cross device and multi os support for communication apps. That is what we should be aiming for.

The spec for this feature needs to be "disabled in all windows by default, can be explicitly enabled in a single window, that window cannot enable other windows". If Google just impelemented that I'm sure the "living standard" would follow....

1
3
Bronze badge

I see you're not blind to half the facts

"The spec for this feature needs to be "disabled in all windows by default, can be explicitly enabled in a single window, that window cannot enable other windows". If Google just impelemented that I'm sure the "living standard" would follow...."

What standard of living would that be for blind people?

0
0
Silver badge

Re: Problem solved.

"he voice and video apis in the new web standards are an important part of providing proper, cross browser, cross device and multi os support for communication apps"

My office is noisy enough as it is though everything using dragon dictate to spout code into the ether.

0
0

Microphone?

Why would my computer have a microphone?

It's a computer, not a phone.

5
4
Happy

Re: Microphone?

"Why would my computer have a microphone?

"It's a computer, not a phone."

A computer isn't a typewriter, and yet you can compose documents on it.

A computer isn't a post office box, and yet you can send and receive mail on it.

A computer isn't a jet plane, and yet you can visit Paris and tour the Louvre on it.

A computer isn't a CD player, and yet you can listen to CDs on it.

A computer isn't a DVD player, and yet you can watch DVDs on it.

A computer isn't a TV set, and yet you can watch TV on it.

A computer isn't a digital voice recorder, and yet you can dictate into it.

A computer isn't a videophone, and yet you can have video chats and teleconferencing on it.

A computer isn't a music studio, and yet you can do multi-track mixing and recording on it.

A computer isn't a drafting table, and yet you can do architectural drawings on it.

With the right hardware, built-in, added in, or plugged in, and the right software, a computer can emulate any number of dedicated devices.

Yes, even a phone.

8
1
Bronze badge

Re: Microphone?

Martin, I think you missed the point. Most business computers do not need microphones plugged in, their use is not part of the work load and in an industrial situation they would be a liability.

On the other hand what a person does in their own time at home is an entirely different matter and is their responsibility.

0
5
Anonymous Coward

Re: Microphone?

"Martin, I think you missed the point. Most business computers do not need microphones plugged in, their use is not part of the work load and in an industrial situation they would be a liability."

Show me a standard laptop which doesn't include a Mic....

0
0
Silver badge
Black Helicopters

Spyware

IMO Chrome is despicable mis-marketed Google Spyware anyway. They are NOT a Tech company but a creepy Advertising Company that uses Tech.

12
2
Anonymous Coward

I miss Java Applets

Gone are the days, a company named Sun thought all the dodgy tricks and put a non-avoidable status bar warning on browser app windows (Applets). Now, after more than a decade, we must be expecting better and more intuitive countermeasures. But alas...

1
0
Bronze badge

I've read this story across many different sites and I still don't see the problem.

The only way to fall victim to this is to allow a site to listen to your microphone? So surely this only affects the sort of people that tell every website they visit that "yes, please feel free to listen to my microphone" regardless of what the site is, these people incidentally are also the ones that download and open every attachment on every email and click every banner that says something like "437 billion problems have been detected with your computer, download Super Anti Virus Malware Scam remover 2026 now to fix these problems"

You can't use technology to save the stupid people all the time.

7
8

Would this exploit stop the microphone from displaying the "In Use" light on the mic? I have a webcam with in-built mic for Skype and the likes. Highly doubt that it can turn this off.

0
0
Bronze badge

If THAT'S all you're wondering about, then ponder this:

The mic possibly could continue to record even when you "turn it off". Even if you turn off the antenna, turn on airplane mode, and Faraday-cage it when not in use, it might work in concert with the accels/gyros and report what was audible at what lat/long or near what cell tower, or in what coffee shop or library said audio was captured. Then, when reconnected to a net, micro-bursted in small, non-lag/latency-affecting snippets neither you nor any sleuting tools you install could find. It doesn't even have to be the NSA doing this -- it could be slightly-advanced script kiddes, employers, suspicous spouses, police, data thieves, nosey neighbors, anyone who can find or employ the services of the kit or a person verse in its use.

The notepads with all their rights-grabs... You type what you think is personal stuff not discoverable to anyone. But, you browse all sorts of sites, and gradually, multiple hackers are infesting your device(s), one or more competing for access to your stuff, your inner digital sanctum. You might begin to wonder why so much lag/latency/stuttery pages despite it being mostly text. Could be your photos and notes are being lifted with you unawares, or aware of the possibility, but, as long as you use devices you load with software from unvetted (not by reviews, but by a valid security team paied to help you keep your secrets protected beyong google's semi-empty gestures) sources.

Just wait til you use a bonk/tap/rub-together device, or hug someone who is wearing a micrro-filament-antenna garment that can either access or short out electronics carried by unsuspecting targets.

Application Permissions Required for Use:

-- access to antenna

-- access to contact lists

-- access to keyboard

-- ability to create, modify, and tear down ad hoc networks (without your knowledge, awareness, or consent)

-- ability to blurp your location (without you knowledge, awareness, or consent)

-- abiltiy to access sensitive logs

-- abiity to modify (read, edit, delete) contents of the above

-- ability to start services that cost you money

-- ability to prevent the device from sleeping

-- abillity to control the screen

-- ability to operate the microphone

-- ability to prevent the disruption of active transmissions or reception

-- ability to read password-protected files

-- ability to back up your files to one or more sites

-- ability to incriminate, implicate, extort, blackmail, harass, intimidate, or frame you, if the need arises

......

Digital Age Phase 3.5.2.5.33(1)a....

0
0
Anonymous Coward

Re: If THAT'S all you're wondering about, then ponder this:

...(1)a...BETA

0
0

This post has been deleted by a moderator

Anonymous Coward

Firefox all the way !

You can't 100% trust Google to protect the web, Firefox is the web future.

3
2
Bronze badge

Re: Firefox all the way !

Not the way they going its not. I never even heard of Extended Support Release until Firefox 26. If this is progress, then count me as a Luddite... For starters I vote we bring back the old Download Manager, and keep the Menu Bar as well... It can't be that hard... But, it apparently is....

1
0
FAIL

Re: Firefox all the way !

I'd love to say a wholehearted yes but its not as easy as it was. I still use FF as my main browser on all my machines - primarily due to ABP and Flashblock - but there seems to be a swing towards reducing stability of late which is worrying because it isn't being dealt with in preference to Awesome bars and such like..

At home my i7 machine (Win 7 x64 home build and well specc'd with memory and MB etc) about 9 months ago I noticed that FF gradually got slower and slower until it reduced to a crawl over the space of 1-3 days. The only way to solve it is to kill and restart FF. A more permanent fix I found was to regress to version 17.0.1 and stay there until the other night when it managed to update itself to the latest v26 without my permission (killing things like persistent website logins and download history).

Then separately about the time I upgraded my MacBook Pro (17" mid-2010 i7 Snow Leopard) to Firefox 24 I started getting Kernel Panics which increased when I moved to FF 25. In the 3 years to that point I'd never had a Kernel panic on that machine ever. Regressed to FF version 23 (last known version before Kernel Panics started) and I've not had a problem since (touch wood).

The first problem Mozilla do seem to know about (from what I've found) but it isn't a high priority other than a Dev saying "we ought to keep an eye on this". I've not investigated the second Mac issue - as much as I'd love to I just don't have the time to debug other people's code.

This isn't related to the number of tabs open before anyone asks - the older versions cope fine with the same number of open tabs/windows as the newer problematic versions.

And as always YMMV.

1
0

Re: Firefox all the way !

Still on snow leopard? Let me guess you're one of those texh "geniuses" that can't handle change due to not really being all that bright with tech but that hasn't stop you from mucking about and putting your computer in such a state that any change actually bad.

Firefox works like a dream on my 2013 MBP, my 2006 thinkpad and my eee 901. My guess is your real problem is behind the keyboard.

0
2
Bronze badge

Re: Firefox all the way !

I've been running FF25 since November with no problems, though I don't use tabs, as I found them actually more confusing to deal with than separate windows.

I've puttered around with Safari (spit) and Opera (m'eh) and went back to FF because, like yourself, I really loves me some AdBlock, NoScript and FlashBlock... not to mention DownloadHelper, for grabbing all those YouTube clips from Egypt, Syria, Turkey, Kiev, and Fullerton before they're "scrubbed".

1
0
Bronze badge

Re: Firefox all the way !

I bought my MBP in November -- finally, at last! -- and have been running FF25 with no major issues. It shipped with Mountain Lion (OSX 10.8.5) installed, and am in no hurry to upgrade to Mavericks after all the horror stories I've been reading.

One of the first things I did was replace Safari with FF25, with updated versions of all my mainstay add-ons (NoScript, AdBlock, etc), and didn't do any further futzing around except to import my bookmarks from my old version of FF.

FF25 has also been totally ace here as well. I'm sure that not going batso with tabs helps a lot.

0
0
Big Brother

Turn the mic off

There is an easy way to fix this. The most obvious solution is the one in the article - go into Chrome options and tell it to never touch your microphone and camera.

The other solution is go into Windows Control Panel and locate the Sound control panel. Then just Mute the Microphone from there. That way, no matter what program tries to mess with your microphone they won't hear anything if it is muted.

What is most concerning is the number of people who use Chrome but have no idea why. When you talk to them you find it has just been sneaked onto the PC as part of an Adobe Flash update or some other program. Most of my clients who are using it never chose it. With an underhand method like that for installing your product, this revelation of access to a microphone without full feedback on screen that it is operating does not surprise me at all.

I make sure my clients realise Google is an advertising company and then ask them if they really trust Chrome...

7
2
Bronze badge
Linux

Re: Turn the mic off

not being a troll, but even under linux to make sure there is no recording I would still feel the need to do something physical, like unplugging the microphone.

Maybe its my paranoia , or perhaps it is because whereas genius is a rare delicate treat, incompetence is commonplace....

P.

5
0
Bronze badge

Re: Turn the mic off Huh??

Cannot the speakers be reversed as crude mics? Even if an icon says "Off", it could be falsely displaying the current status.

All computer circuts themselves might to some extent be manipulable to act as crude beacons if not audio slurp sinks.

When not actively using the machine, drop it in a roady's foil-and-foam-lined speaker transport box.

We ordinary people have no real means of knowing nor thwarting this stuff. We are just probably going to have to accept "renormalization" of our expectations.

Don't let human or electronic "tails" tell-tail on the tail you tail. Don't do Oingo-Boing-Syle "Nasty Habits" around elegtronics. ("Take the phone off, lock the door, shut the curtains... Make sure that the neighbors are without suspicion -- NO one will KNOW, NO ONE WILL KNOWWWW...... Nasty Secrets, I must condone... No one knows what I do when I'm ALL ALONE.... " hahaha) ... If you're worried about "perve mics"....

0
1
Silver badge

The real surefire way for Chrome users to be sure they're not being listened in on is to use Firefox. :p

0
0
Bronze badge

Again for how much longer though? I'm already using Firefox 24ESR. And sooner or latter even support for this is gonna end. Its time for a new Firefox upstart to come along and keep the bits of Firefox that were / ARE good. Without having to Windows 8-ifiy everything just cause they can, and are bored to death...

1
0
Anonymous Coward

Another solution

Don't keep your microphone connected! Wow!

1
2
Bronze badge

I see a lot of talk about the Desktop

But, least we forget Google dabble in Mobile too... And, unlike most Desktops, (Take mine PLEASE!) I suspect there isn't even a Mic hooked up. Sadly, (or not...), the case with Mobiles though. Now how safe I am running some rolled CM10 on my ancient assed Galaxy Tab (GT-P1000), I know not, I've dabbled with Chrome on Android before, and didn't like it. So I opt to use the AKOP Browser instead. This kind of duchery makes me wonder if this really is just targeted only at Desktop Users though....

0
0

Page:

This topic is closed for new posts.