Chrome Bugs Lets Sites Listen To Your Private Conversations 109
An anonymous reader writes "Last year Google rolled out a new feature for the desktop version of Chrome that enabled support for voice recognition directly into the browser. In September, a developer named Tal Ater found a bug that would allow a malicious site to record through your microphone even after you'd told it to stop. Quoting: 'When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can't start listening to you in background windows that are hidden to you. When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there.' Ater reported this to Google in September, and they had a fix ready a few days later. But they haven't rolled it out yet — they can't decide whether or not it's the proper way to block this behavior. Thus: the exploit remains. Ater has published the source code for the exploit to encourage Google to fix it."
2014 (Score:5, Insightful)
Why in 2014 does any self respecting browser allow pop-ups or pop-unders without explicit permission?
Security issues aside there is almost nothing quite so irritating as a website opening additional windows except in the rare list of exceptions most of us are quite used to manually keeping.
surprise! (Score:5, Insightful)
Giving microphone access to a complex piece of software that's primarily used to render, interpret and run code fetched from random places on the Internet... what could possibly go wrong?
Re:2014 (Score:4, Insightful)
: after all it wouldn't be a whole lot of use to display dialogs to users if you then couldn't handle the subsequent action.
Web pages don't need dialogs in separate windows. Seriously, they don't. That's an old-school UI concept dragged to an inappropriate place. You can present a dialog within the page, in a variety of ways. And if you really need to open a separate, permanent window, that's a new tab, and only if the user has explicitly granted permission for such.
There's simply no legitimate requirement for a web browser to ever open another desktop UI window - render what you need to within the tabs you present.