Earlier this week, web developer Tal Ater warned of a Chrome exploit that could allow an unscrupulous website to listen in to your computer's microphone while you speak. Here's what you can do to protect yourself.
Title photo made using Ron and Joe (Shutterstock)
What's Going On?
Here's the lowdown. Once you give a site permission to use your microphone or camera, Chrome assumes that site will have permission to do so in the future. That means every instance of that site and every page on that site, also has access to your camera and microphone. A sneaky site owner could throw up a pop-under window in the background that's listening in to everything you say, or worse, listening and set to trigger some action (like recording) when you say specific words or phrases.
Ater reported it to Google back in September. Google doesn't see it as a problem, and says it's in compliance with W3C (the World Wide Web Consortium) standards. Google does have a point: In order for the issue to be a real threat, not only do you have to visit a site that would want to record your speech, you'd have to grant it access to your microphone, and then you'd have to not notice a pop-under window from that site lingering in the background. Plus, you'd also have to not notice the visual cue (a red dot in the omnibar) that indicates the microphone is active. Even so, Google's engineers did respond to Ater's report, did come up with a fix that addressed the issue, but -- and this is the confusing part -- didn't push that fix to end-users.
How You Can Protect Yourself
Ater -- along with other security experts -- insist that this flaw could be exploited and you may never know. What you can do is review the sites you've allowed to access your microphone and camera in Chrome. It's not difficult. Here's how:
- Open Chrome, and type chrome://settings/contentExceptions#media-stream into the Omnibar.
- You'll see the Media Exceptions screen, where you can see which hostnames have permissions to your microphone and camera, and which of those two each site has access to.
- Highlight any site you want to remove, and click the "x" on the right side of the line.
- Save your changed by clicking Done.
PCWorld also notes that if you prefer, you can just go to: chrome://settings/content Then scroll down to Media, and instead of "Ask me when a site wants to use a plug-in to access my camera and microphone" (which is the default setting), select "Do not allow any sites to access my camera and microphone". Doing this will also disable features such as Google's Conversational Search, which can be pretty useful, and disable any other voice-activated features in Chrome or elsewhere on the web.
It's worth noting that these settings are different from sites that use Adobe Flash to access your camera or microphone. The Media Exceptions screen above has a link to where you can change those settings and review the sites with permissions to your hardware, but you can get to it here.
The debate over whether this is even a real threat and how much of a threat it is will likely rage for weeks until it either dies down or Google decides to add some stopgap feature to Chrome to address it. While experts debate the nuances, at least these tips will let you manage your own security when and if you choose to.