Users of Google's Chrome browser are vulnerable to attacks that allow malicious websites to use a computer microphone to surreptitiously eavesdrop on private conversations for extended periods of time, an expert in speech recognition said.

The attack requires an end user to click on a button giving the website permission to access the microphone. Most of the time, Chrome will respond by placing a blinking red light in the corresponding browser tab and putting a camera icon in the address bar—both indicating that the website is receiving a live audio feed from the visitor. The privacy risk, according to a blog post published Tuesday, stems from what happens once a user leaves the site. The red light and camera icon disappear even though the website has the ability to continue listening in.

In this demonstration video, a site given permission to access the microphone continues to record all sounds within earshot of the computer with no clear indication of what's happening. From there, Israeli researcher Tal Ater said, the audio is sent to Google for analysis before being sent to the site that made the request. Once permission has been granted, Chrome can be programmed to begin recording only after certain keywords—say, "Iran" or "National Security Agency"—are uttered.

"As long as Chrome is running, the transcripts of anything that is said next to your computer can be recorded by the malicious site—your private phone conversations, meetings, anything within earshot of your computer is compromised," Ater wrote in an e-mail. "This is a unique vulnerability, as it essentially turns Chrome into an espionage tool with consequences on the physical world."

In his blog post, Ater said he alerted Google to the underlying vulnerabilities on September 13. On September 24, someone from Google told him a patch was ready and that his discovery was eligible for a prize worth as much as $30,000 under the company's bug bounty reward program. When the patch still hadn't gone live in November, Ater asked what was causing the delay. "Their answer was that there was an ongoing discussion within the Standard group to agree on the correct behavior—'nothing is decided yet,'" Ater wrote.

A Google spokeswoman e-mailed Ars the following statement: "The security of our users is a top priority, and this feature was designed with security and privacy in mind. We've re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."

The takeaway from all of this is that users should carefully consider a website's request for microphone access before clicking OK. Users would also do well to place little reliance in the red blinking light and any icons Chrome uses to indicate that sounds are being captured. When in doubt, check which sites already have permission by navigating to Chrome settings > show advanced settings > and then clicking the "content settings" box in the privacy section. From there, click on the "manage exceptions" box under the Media section. Sites with permission to access your computer microphone will appear, along with a way to delete or modify the setting.

Stories like these demonstrate a major shortcoming in almost all computer and smartphone hardware available today—specifically that there is no hard switch to turn on and off microphones and video cameras. A physical switch on a computer would give many users the ease of mind that their conversations and other private moments aren't being captured. Yes, most operating systems provide ways to restrict mic and camera functions, but those software-driven mechanisms are probably more susceptible to hacking bypasses. Until then, readers should remain highly wary.