A
security flaw in Google Chrome, currently the world's most popular Web
browser, could allow a hacker to turn on a user's computer microphone
and secretly obtain a Chrome-generated transcript of the user's
conversations, according to an Israel-based software developer who
highlighted the flaw in a blog post this week.
The
developer, Guy Aharonovsky, told International Business Times he found
the defect in Chrome while experimenting with a voice recognition
feature in the browser. He said he reported the problem to Google through its Chromium bug tracker,
but the company’s developers designated it “low-severity,” which meant
they didn't view it as a top priority and offered no immediate
fix. Google did investigate the problem, he said, but only after he
submitted a blog post about it to Reddit, a popular socially driven news site.
“Google, [like] all developers, [has] a tendency to dismiss the not-so-obvious security bugs,” Aharonovsky said.
A Google spokesperson confirmed the existence of the
vulnerability on Wednesday. “Our security team is actively investigating
this issue,” Google said in an email to IBTimes.
The security flaw in the Chrome browser emerges just as the
world is confronting the frightening prospect of a similarly
long-existant, but previously undetected bug known as Heartbleed, that makes millions of passwords across the Web vulnerable to theft.
The spokesperson refused to comment on Aharonovsky’s claim
that it downplayed the security flaw until his post gained attention
online. "As of right now, we have no further comment other than the one
we provided in our first email," Google said.
While there's no evidence of any Chrome user harmed by the
vulnerability, the security flaw's potential damage is significant.
Chrome serves more than half of
the world's Web traffic, and with just one click on a malicious Web
page, a user could unwittingly allow that website to obtain a text
transcript of any conversation near the computer, via the user's
computer microphone.
While most hackers target victims by enticing them to
download a virus or malware file, this bug only requires a Chrome user
to visit a Website that's designed to exploit this vulnerability.
Google told IBTimes that a software feature in the browser
generates the text from a user’s voice, which is recorded by a computer
microphone. Google said recorded text files contain “much less
information” than audio files, and if no sound is detected for eight
seconds after the last mouse click, the feature turns itself off.
Aharonovsky created a simple demonstration to
show how the bug could work. In it, computer users are asked to use a
mouse to drag and drop “seeds” onto the ground to grow a tree,
increasing the likelihood that a voice recording is activated every
eight seconds. He said this feature works even if users block access to
the computer microphone in Chrome’s security settings.
The spokesperson said Google could not say when an update with a fix for the security flaw will be available.
“I do not believe [the vulnerability] will be dismissed at
this point,” Aharonovsky said. “It seems like they started to look for a
way to quickly mitigate this flaw.”
No comments:
Post a Comment