A flaw in Google Chrome’s old speech recognition API could end up exploited to steal the transcript generated by the web browser when the feature ends up used.
The vulnerable API started up with the introduction of Chrome 11, said Israeli Researcher Guy Aharonovsky. Google released a newer API since, but Aharonovsky believes there are several websites still using the old one.
To exploit the vulnerability an attacker can set up a website and place -x-webkit-speech feature on it. The speech widget is usually visible, but the attacker can make modifications to it.
For instance, the attacker can resize it so it activates regardless of where the user clicks. Furthermore, its opacity can end up positioned so it becomes invisible. The box which shows the user undergoing the recording process can end up moved outside the screen so the victim doesn’t see it.
All the attacker needs to do is lure the victim to his website and get them to click on the screen.
To demonstrate his findings, the expert set up a website that appears to be a game. As a part of the game, potential victims can plant tree seeds and as the trees grow they can make wishes, which they must say into the computer’s microphone.
What victims don’t know is everything they say while playing “the game” ends up collected by the attacker. That’s because the speech recognition feature activates each time they click on the screen.
Aharonovsky said Google is aware of the issue, but has not issued a release yet. Google said the issue is under investigation, but the search engine giant’s security team informed the researcher the bug is “low-severity” and they don’t view it as a top priority.