Be careful what you say when visiting voice-controlled websites on Google Chrome. Recently, a security expert discovered that malefactors could leverage the browser's voice-recognition abilities to invade users' privacy, but Google has yet to implement his recommended fix.
Tal Ater, the Israeli programmer behind the "annyang!" speech-recognition script for websites, discovered the vulnerability last September. He submitted a report through the proper Google channels, and received a response right away that engineers were addressing the issue.
However, even though Google has a solution ready, the company has yet to implement it.
The flaw is hardly a trivial one. Most sites that use voice recognition also use secure HTTPS servers. Since the sites are supposedly secure, Chrome does not need to ask permission every time the site wants to run voice-recognition software. Under ordinary circumstances, this is a convenient way for users to interact with their favorite sites, and eliminates a tedious step.
MORE: 10 Best Mobile Browsers
But it's not hard to see how a malefactor could use this feature for ill. An HTTPS certificate is not hard to come by, and programming an invisible pop-up window is well within a competent Web programmer's skill set. This could let website operators listen in on whatever you say after Chrome is closed and, if they wish, record your conversations.
Although the vulnerability represents a clear privacy threat, it remains to be seen whether any site has actually implemented such a measure, or how much a hacker could learn from it. Most people do not converse with their Web browsers outside the confines of a voice-recognition page.
Video chat and online gaming do represent a possible avenue of attack. Imagine logging in to Skype or "League of Legends" and having every word monitored by an outside agency.
The vast majority of video and gaming chats are of no interest to a potential attacker, so sorting through them would be inefficient. Targeting individual users could be a way to glean potentially compromising information, though.
Until Google decides to implement its fix, the best way to keep yourself safe on voice-recognition sites is to use the HTTP version of a site rather than its HTTPS counterpart. This means that a site has to ask permission every time you use its voice-recognition software, and if you see something fishy, you can simply say no.
Voice recognition for website navigation is not that popular yet, but it may be soon, given the rise of computers with built-in microphones and browsers that support them. This technology will come with its share of security risks, so be careful about idly mumbling your passwords, Social Security number and directions to your home to yourself for the time being.