The Mac version of the Shazam music discovery application can keep the device’s microphone active even after the user turned off the application.
The potential is there for malware to silently spy on Mac OS X users through the device’s webcam and microphone by piggybacking on legitimate applications that use these functions, such as FaceTime and Skype, said Patrick Wardle, director of research at Synack, who discovered the issue.
Wardle developed a tool, named OverSight, that alerts the user when the webcam or the microphone became active and allows them to block the process if it seems suspicious.
One user of the OverSight tool discovered the Shazam widget keeps the microphone active even when the app has been switched off.
Wardle reverse engineered Shazam and found the application continues recording even after it has been turned off, but the researcher found it does not process the audio data while disabled.
“Though it appears that Shazam is always recording even when the user has toggled it ‘OFF’, I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc),” Wardle said in a blog post.
The researcher believes a piece of malware could exploit this functionality to capture audio from the microphone without initiating a recording itself.
Shazam developers don’t see this behavior as a serious security risk, but they have promised to address the issue.