Google Chrome users are no strangers to speech recognition software -- heck, the internet browser has "Ok Google!" voice recognition built right into its URL navigation bar. But that recognition is triggered to "listen" only when you've opened a new tab or navigate to Google's homepage, and the expectation is that the browser isn't able to listen in otherwise. Not so, says speech recognition program developer Tal Ater, who discovered an exploit in Chrome's speech recognition that enabled unscrupulous websites with speech recognition software to listen in when users aren't expecting.
First, you have to give permission to a website to allow speech recognition to work. After that, however, the website may open a pop-under window with the intent of secretly continuing to listen -- even if you've closed the tab and moved on. Google Chrome must remain running, and you have to miss seeing the pop-under, but it's certainly an issue.
Moreover, Google knows of the problem and has yet to fix it...despite a fix existing. Ater describes reporting the issue to Google, finding out it was fixed by the company soon after, and that fix not being implemented in subsequent updates. Google confirmed that to Engadget with the following statement:
"The security of our users is a top priority, and this feature was designed with security and privacy in mind. We've re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements."
Given Google's compliance with speech recognition standards, it sounds like Mountain View isn't changing the way Chrome's speech software works just yet, though we'd be surprised if some form of visual indication of recording wasn't included in a future build. A video of Ater demonstrating the exploit is just below.