Earlier this week, web developer Tal Ater warned of a Chrome exploit that would allow an unscrupulous website to listen in to your computer’s microphone while you speak. Google dismissed the issue, but if you’re wondering what the whole thing means for you, here’s what you can do to protect yourself.
What’s Going On?
Here’s the lowdown. Once you give a site permission to use your microphone or camera, Chrome assumes that site will have permission to do so in the future. That means every instance of that site, every page on that site, also has access to your camera and microphone, meaning a sketchy site owner could throw up a pop-under window in the background that’s listening in to everything you say, or worse, listening and set to trigger some action (like recording) when you say specific words or phrases.
Ater reported it to Google back in September. For their part, Google doesn’t see it as a problem, and says it’s in compliance with W3C (the World Wide Web Consortium) standards. Google does have a point: In order for the issue to be a real threat, not only do you have to visit a site that would want to record your speech, you’d have to grant it access to your microphone, and then you’d have to not notice a pop-under window from that site lingering in the background. Plus, you’d also have to not notice the visual cue (a red dot in the omnibar) that indicates the microphone is active. Even so, Google’s engineers did respond to Ater’s report, did come up with a fix that addressed the issue, but—and this is the confusing part— didn’t push that fix to end-users.
How You Can Protect Yourself
So where does this leave you? In short, not too far from where you started. The issue with Chrome, and Ater—along with other security experts—insist that it could be exploited and you may never know. While the argument continues on that end, what you can do is review the sites you’ve allowed to access your microphone and camera in Chrome. It’s not difficult. Here’s how:
- Open chrome, and type chrome://settings/contentExceptions#media-stream into the Omnibar.
- You’ll see the Media Exceptions screen, where you can see which hostnames have permissions to your microphone and camera, and which of those two each site has access to.
- Highlight any site you want to remove, and click the “x” on the right side of the line.
- Save your changed by clicking Done.
PCWorld also notes that if you prefer, you can just go to: chrome://settings/content Scroll down to Media, and instead of “Ask me when a site wants to use a plug-in to access my camera and microphone” (which is the default setting), select “Do not allow any sites to access my camera and microphone,” which is kind of the nuclear option. Doing this will also disable features like Google’s Conversational Search, which can be pretty useful, likely break any voice integration with Google Now (which will arrive in Chrome any day now), and disable any other voice-activated features in Chrome or elsewhere on the web.
It’s worth noting that these settings are different from sites that use Adobe Flash to access your camera or microphone. The Media Exceptions screen above has a link to where you can change those settings and review the sites with permissions to your hardware, but you can get to it here. Odds are that list is a bit more interesting, although most sites there should be set to “always ask” before they can do anything, so any real threat is diminished.
The debate over whether this is even a real threat and how much of a threat it is will likely rage for weeks until it either dies down or Google decides to add some stopgap feature to Chrome to address it, but these kinds of issues come with the territory now that voice commands and interactive control are becoming commonplace on our phones and computers. While experts debate the nuances, at least these tips will let you manage your own security when and if you choose to.
Title photo made using Ron and Joe (Shutterstock).