Google Chrome 32.0.1700.95 Speech Recognition privileges management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.3 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in Google Chrome 32.0.1700.95 and classified as problematic. Affected by this issue is some unknown functionality of the component Speech Recognition. Performing a manipulation results in privileges management. Moreover, an exploit is present.
Details
A vulnerability was found in Google Chrome 32.0.1700.95 (Web Browser). It has been classified as problematic. This affects an unknown part of the component Speech Recognition. The manipulation with an unknown input leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, and integrity.
The weakness was disclosed 01/22/2014 by Tal Ater as Chrome Bugs Allow Sites to Listen to Your Private Conversations as not defined posting (Website). The advisory is shared at talater.com. The posting contains:
I discovered this exploit while working on annyang, a popular JavaScript Speech Recognition library.The exploitability is told to be difficult. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are unknown but a private exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/30/2019). It is expected to see the exploit prices for this product increasing in the near future.MITRE ATT&CK project uses the attack technique T1068 for this issue. The advisory points out:
A user visits a site, that uses speech recognition to offer some cool new functionality. The site asks the user for permission to use his mic, the user accepts, and can now control the site with his voice. Chrome shows a clear indication in the browser that speech recognition is on, and once the user turns it off, or leaves that site, Chrome stops listening. So far, so good. But what if that site is run by someone with malicious intentions? Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can’t start listening to you in background windows that are hidden to you. When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there. To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that Speech Recognition is turned on in such windows - only in regular Chrome tabs.
It is declared as proof-of-concept.
Upgrading eliminates this vulnerability. The upgrade is hosted for download at chrome.google.com.
The vulnerability is also documented in the vulnerability database at OSVDB (102386†). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.google.com/
- Product: https://www.google.com/chrome/
CPE 2.3
CPE 2.2
Video
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.8VulDB Meta Temp Score: 4.3
VulDB Base Score: 4.8
VulDB Temp Score: 4.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Privileges managementCWE: CWE-269 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Private
Status: Proof-of-Concept
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Upgrade: chrome.google.com
Timeline
01/22/2014 🔍01/24/2014 🔍
03/30/2019 🔍
Sources
Vendor: google.comProduct: google.com
Advisory: Chrome Bugs Allow Sites to Listen to Your Private Conversations
Researcher: Tal Ater
Status: Not defined
GCVE (VulDB): GCVE-100-12057
OSVDB: 102386
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 01/24/2014 10:59Updated: 03/30/2019 17:30
Changes: 01/24/2014 10:59 (47), 03/30/2019 17:30 (2)
Complete: 🔍
Cache ID: 216:FCD:103
No comments yet. Languages: en.
Please log in to comment.