It’s been a busy couple of weeks for Internet security! Almost unnoticed amongst the ‘Heartbleed’ fallout was a post on Guy Aharonovsky’s blog detailing how Google Chrome’s speech-to-text features can be used to snoop on anything you say near your computer — via a single tag attribute and some CSS.
The exploit, in a nutshell:
A text box with the x-webkit-speech attribute lets the user click a microphone
icon and speak text into the box. With some simple stylesheet tricks, the
blogger shows how to hide the text box (and subsequent pop-up) so that speech
can be captured without the user’s knowledge.
Okay, so that’s Not Good. How do we fix it?
The Chrome devs responded quickly (especially once the proof-of-concept was made public), removing x-webkit-speech support from the upcoming Chrome v36. But that’s not due for stable release until mid-May — we needed something to prevent this method of snooping in the meantime.
Luckily, Chrome has a pretty awesome Extension system, so it was near-trivial to
build a proof-of-concept extension that simply removes the ‘x-webkit-speech’
attribute from any <input> tag on the page — the first draft was just a
boilerplate ‘manifest’ file and 4 lines of code, but it worked!
After some testing the plugin was extended to listen for DOM changes (so it could detect if a speech input was added to the page via Javascript). Additionally, ‘page icon’ was added to give UI feedback that speech had been disabled, which the user can click to re-enable speech input if desired.
The extension is available in the Chrome Web Store.
