It’s been a busy couple of weeks for Internet security! Almost unnoticed amongst the ‘Heartbleed’ fallout was a post on Guy Aharonovsky’s blog detailing how Google Chrome’s speech-to-text features can be used to snoop on anything you say near your computer — via a single tag attribute and some CSS.

The exploit, in a nutshell:

A text box with the x-webkit-speech attribute lets the user click a microphone icon and speak text into the box. With some simple stylesheet tricks, the blogger shows how to hide the text box (and subsequent pop-up) so that speech can be captured without the user’s knowledge.

Okay, so that’s Not Good. How do we fix it?

The Chrome devs responded quickly (especially once the proof-of-concept was made public), removing x-webkit-speech support from the upcoming Chrome v36. But that’s not due for stable release until mid-May — we needed something to prevent this method of snooping in the meantime.

Luckily, Chrome has a pretty awesome Extension system, so it was near-trivial to build a proof-of-concept extension that simply removes the ‘x-webkit-speech’ attribute from any <input> tag on the page — the first draft was just a boilerplate ‘manifest’ file and 4 lines of code, but it worked!

After some testing the plugin was extended to listen for DOM changes (so it could detect if a speech input was added to the page via Javascript). Additionally, ‘page icon’ was added to give UI feedback that speech had been disabled, which the user can click to re-enable speech input if desired.

The extension is available in the Chrome Web Store.