Shazam brought its music-searching chops to the Mac over two years ago, but former NSA hacker and Mac security guru Patrick Wardle revealed this week that the app has a big flaw. With the version of the app for Apple desktops, the software keeps a computer's microphone on after it a user turns it off. That's right, the microphone on a Mac was still hot even after Shazam performed its duties and users flipped the switch. The company says it isn't recording or saving anything, processing your conversations or storing what it overhears on its servers.
According to Shazam's vice president of global communications James Pearson, this is a feature and not a bug. If you'll recall, the always on nature of the app was touted during its announcement, a tool that would continue to run the company's identification methods in the background if you allowed it to do so. However, even with the software is specifically toggled "off," the mic is still on. Shazam only does this inside the Mac app, so if you're using it elsewhere, other versions don't work the same way.
"If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio," Person explained to Motherboard. He went on to say that if the microphone wasn't on, the user experience would suffer, causing users to "miss out" on whatever song they wanted to get more info on.
So, what if a hacker wanted to get their hands on the data that would allow them to listen in from your Mac? Well, Shazam claims that can't happen. The company's chief product officer Fabio Santini told CNET that the method the app uses to identify songs uses "fingerprints" or pieces of the audio that are then matched to other "fingerprints" in its database.
"Those points can't be reverse-engineered to reconstruct original audio," Santini said.
Never say never, Shazam. In response to this week's revelation, the company plans to "address" the issue in an upcoming update which will be released "within the next few days." Again, Shazam says that there's no risk to users with the app's current configuration. Wardle argues that a piece of malware could be engineered to pull audio from a Mac's microphone without having to turn it on.
"We could get creative an easily design a piece of malware that steals this recoding without having to initiate a recording itself (which would likely generate an alert)," Wardle explained.
Update: The company says the always on feature doesn't mean the app is always recording. In fact, Shazam says the app never records audio, it matches it. The software only grabs enough info to construct an audio "fingerprint" to compare with its database. Each sample is deleted once a song or other sound profile is identified. However, the microphone remains on even after users are mindful to turn it off.
"We are always sensitive to what our users experience and we respect these concerns and take them very seriously, Pearson told Engadget. "Even though we don't recognize a meaningful risk, the company will be updating its Mac app within the next few days. Shazam has always learned from and listened to our global community. More importantly, we want our fans to always feel secure about using Shazam on a Mac Desktop."
This post has been updated to reflect the information provided by Shazam after it was published.