Google doesn’t recognize the browser behavior as a safety issue.

The way that Google Chrome allows web apps to access microphones in computers is being described by an internet developer as a safety flaw.

Tal Ater, a programmer based in Israel, on Tuesday published information about the issue on his website. He says he was working with Google engineers since first reporting the problem on Sept. 13, 2013.

Google doesn’t recognize the problem, demonstrated during this YouTube video, as a legitimate exploit, and insists Chrome is safe and performing as expected.

Chrome provides access to a computer’s microphone (if one exists) at the host device in the course of the Web Speech API. After seeking permission, Google’s browser allows users to click the microphone icon within the Google Search input box to listen for spoken words that may be recognized by the company’s speech-to-text algorithms and become text-based search queries.

[Are you continue to using one of the vital 25 least secure passwords? See ‘Password’ Not Worst Password.]

Two months ago, Google also released a Chrome extension that enables “hotwording” — having the host device listen constantly for a keyword like “ok Google,” so that you can automatically interpret whatever words follow as a voice command.

But in pushing the bounds of browser development, Google can have provided malicious hackers with a possibility to spy at the unsuspecting, Ater claims.

Google’s security team developed a fix to the identified vulnerabilities within two weeks, Ater says, but was looking ahead to the W3C, the net standards body, to agree at the best method of fix the flaw.

Google in an email statement put it differently: “The safety of our users is a top priority, and this selection was designed with security and privacy in mind. We’ve re-investigated and still believe there is not any immediate threat, since a user must first enable speech recognition for every site that requests it. The feature is in compliance with the present W3C standard, and we continue to work on improvements.”

Ater explained in a prior email that Chrome doesn’t follow the W3C’s unfinished specification for Web Speech, which states that code implementing the net Speech API should “abort an active speech input session if the webpage lost input focus to a different window or to a different tab in the same user agent,” with the intention to reduce the prospect of allowing websites to record without the user’s knowledge.

But that recommendation was struck from the specification last November. The internet Speech API errata requires the deletion that very sentence. This appears to make the scenario depicted in Ater’s video — in which a hidden pop-under window continues recording surreptitiously after the user has granted recording permission after which navigated to a different website — acceptable, no less than from a standards perspective.

Ater says he agrees that it was a good suggestion to take away the restriction because there are occasions when one may want a background window active during speech recognition. He also agrees that speech recognition permission ought to be allowed to persist across sessions. 

“The issue is that the present implementation allows turning on speech recognition in a background window or tab that the user hasn’t ever interacted with and can not take into accout is there,” Ater said. “Add to this the truth that there’s no visual indication in pop-up windows for speech recognition being turned on, and you’ve an excellent combination of little bugs and issues coming together to create an exploit that may be greater than the sum of its parts.”

Such behavior appears to permit Chrome to be changed into a covert listening device, but because Google has addressed most of these issues, it isn’t clear how easy abuse may well be. Ater has posted sample exploit code in a Github repository.

“i believe the severity of this exploit needs to be measured by the way it can be utilized to create something that can affect a user’s privacy, and never by the severity of every of its small parts,” said Ater.

The Chromium team is operating on at the least a different microphone-related security issue.

None of that’s entirely surprising. Microphones have represented a safety vulnerability for kind of provided that they have been around, but they’re much more of a possible threat in an era of mobile, network-connected devices. In 2008, security researchers identified a flaw in Adobe Flash that allowed webcams to be hijacked for surreptitious surveillance. A related Flash for Chrome vulnerability surfaced last year. Also last year, Cisco published a warning of an exploit that may turn one among its IP phones right into a surreptitious listening device.

Back within the 1980s and for years after that, Lucasfilm’s acoustics certification group THX ran thundering trailers in movie theaters that declared “The audience is listening.” Today, the computers are listening, quietly but attentively.

Thomas Claburn is editor-at-large for InformationWeek. He was writing about business and technology since 1996, for publications equivalent to New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and tv. He’s the writer of a science fiction novel, Reflecting Fires, and his mobile game Blocfall Free is on the market for iOS, Android, and Kindle Fire.

InformationWeek Conference is an exclusive two-day event happening at Interop where you’ll join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from one another and honor the nation’s leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can discover additional information and register here. In Las Vegas, March 31 to April 1, 2014.