Yes, Chrome may be listening — because you told it to

Windows with permission to listen to your microphone keep listening until they are closed

There's news today about a new exploit in Chrome, that centers around the recently-introduced listening features. The new feature is not just limited to Google search, and any webmaster can implement it on his or her site with minimal coding. That is exactly the sort of thing that leads to scary-sounding issues, like the one today. 

In a nutshell, a website can ask for permission to use your microphone. Once granted, it can open another window from the same domain, and listen to the sounds coming in from your mic. Even if you surf away from the original window that asked permission. This becomes a problem when users lose track of what windows they may have open, and leave a sneakily placed pop up window running all day long to listen to everything it can hear.

But is this the expected behavior? Read on.


Working as expected? Maybe

This isn't exactly a new issue. The fellow that first found and reported the issue did so back in September of 2013. The issue was acknowledged, and code to fix it all was written. But it has yet to be merged, because the people who decide things like standard behavior for new features haven't decided if this is expected behavior or not. 

When you give permission for something to happen, it should be expected that it will happen. When you say "OK, listen to my mic so we can do some cool stuff," Chrome should let the site you gave permission to listen to your mic, so cool stuff can happen. If you don't close the window that has permission to listen in, it's going to listen. This is the expected behavior, and exactly how things were designed to work. 

But what could potentially happen is that a crafty web developer could open a small pop-up that you may not notice. It inherits the permission to listen, and keeps listening until you close it. This means it can hear what you say on the telephone, or to other people in the room, or the Iron Maiden that you're playing loudly at your desk. And transmit it all to the website with permission to hear it.

Google will sort something out. I'm actually glad that they didn't jump in and change the way windows and tabs listen, because things should work the way they do. Having to give permission on every single page you navigate to on a website is not a good user experience. On the other hand, Google needs to protect its users somehow. Not everybody knows to block pop-ups in their Chrome settings, and to appeal to the normal user you need to protect the normal user. I don't know how they should fix this, and I'm glad it's not my responsibility to figure it all out.

What should we do?

In the meantime, there are two easy fixes. You can simply never give permission for a site to use your microphone, or disable automatic pop-up windows. To do that, open your Chrome settings and click the "Show advanced settings" link. In the privacy settings, click the "Content settings" button. In the new window, scroll to the Pop-ups section, and set them to Do not allow on any site. This is the recommended and default setting, and will cover most pop-up windows on the web. When you need to see a pop-up window, you can click the Omnibar to show it.

In the end, we just have to be dutiful and pay attention to the windows open on our computers until Google sorts out exactly how to handle issues like this one. Google is dead-set on pushing voice interaction with our electronics, and along with it will come obstacles. Hopefully, they sort the issues as fast as they push the technology.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • And in other news, Microsoft's Internet Explorer suddenly grows in market share. :: Posted via HTC One ::
  • Ha. Good one. Exactly. Editor in chief of
  • No one's that mental. Firefox maybe :)
  • I would have to agree that it is working as intended. If we are to see advancement with these types of features, then we have to become aware of what we are allowing programs and hardware to do with the permissions that we give them. There will always be ways to take advantage of technology as it advances.
  • I'd better get a microphone so I can be annoyed Posted via Android Central App
  • I avoid built in mics and cameras, but on lap tops its kind of standard equipment. Bet you have a smartphone and/or tablet, and in that case, you have to be cautious.
    Not all of these have "on the air" indicator lights. It should be the law. I recommend Office Depot Item # 760218 for your laptop or tablet camera.
  • What are the site's hearing in almost 50% of these cases? A strange fapping sound. Fap Fap Fap Fap. : P
  • You agitating my dots?
  • Do not allow any site to show pop-ups is a great idea. I seem to recall you can't use Android central forums without listing it as an exception. Jerry: Have the forum guys check that out. Its been a while, since I added it as an exception, and I forgot the exact reason. Think it had something to do with a pop-up sign in window or something.
  • Google could put a microphone icon on the address bar, and color it red and pulse it visually, whenever any page is listening to the microphone. It could be static and black when no page is listening. That way, even if some hidden popup page is listening after you closed the original page you gave permission to, you'd have a visual indicator (or a reminder even if you knew, but forgot). Clicking on the microphone, when active, could pop up a list of the page(s) that are listening, and give you the option of bringing the page to front where you can see it, or close the page, or possibly leave the page open but retract the permission to use the microphone. That would make it harder for nefarious folks to code a nasty page, without materially changing the current behavior.
  • The latest vesrion of Chrome (M32) has some of these features built-in. Indicators show which tabs are using your webcam and speakers (Source: Everyone can now track down noisy tabs, Google Chrome Blog). It seems they should do a symbol for the mic as well.
  • Actually there is an icon when the mic is active. Except it's in the tray and not the address bar.
  • Actually, what you can do is tell Windows to always show that mic notification in the task tray instead of hiding it. Done and done.
  • Default setting works for me. But still not overly concerned about someone listening in when I am petting the dog of vacuuming. I see the privacy concerns but not for me.
    Thanks for the report
    Posted via Android Central App
  • "Petting the dog of vacuuming"
    Is that some sort of masturbation reference?
  • It's even better lol Posted from my "Gift from God" Note 3, my "God-Given" iPad Mini 2, or my "Risen" Samsung Chromebook.
  • Lmao. Oh shit. I literally just laughed out loud. Editor in chief of
  • All Google is gonna hear from me is "FAP FAP FAP"
  • Well at least they will be able to give you useful advertising based on your interests.
  • Lol, nothing gets past you, Joe. Posted from my "Gift from God" Note 3, my "God-Given" iPad Mini 2, or my "Risen" Samsung Chromebook.
  • Lol Editor in chief of
  • Pop ups stay open if you don't close them? Is it April 1 already?
  • Fb, Twitter, almost any social media app you install on Android does the same thing all the time, any time. Not just the mic, but same goes with the camera as well.
  • Is this serious? Are you saying that all social media apps are recording audio and video at all time? No, no they are not.
  • No, it was CLEARLY sarcasm. Couldn't you tell by the /sarc... Oh wait, lol. Posted from my "Gift from God" Note 3, my "God-Given" iPad Mini 2, or my "Risen" Samsung Chromebook.
  • No. But the fucking government is. Posted via Android Central App
  • This was the case with microsoft messenger (when it existed). But frankly all this hype about inavasion of privacy blah blah blah I for one am not going to go and tape up my webcam and mic (or my windows and doors for that matter). If I am required to post what color underware I'm wearing everyday, then fine I'll comply. I rather not lose my freedom like Mr. Snowden did. Because frankly outside of a well and provided society, all else suck as Mr. Snowden is realizing. Care to learn? Go book a flight to some ancient society like North Korea.
  • It still does exist. Editor in chief of
  • I don't have a problem with these permissions. Just makes me think twice before taking a laptop into the bathroom Posted via Android Central App
  • The evil Google. Posted via Android Central App
  • They always about this since day one. Posted via Android Central App
  • So what you're saying is that somewhere, deep down in the doldrums of the interwebs, some crafty, devious, diabolical web developer has a recording...of...Jerry Hildenbrand singing Justin Beiber. Say it ain't so! I need to get my hands on that recording
  • Well, I can definitely understand why some people would be uncomfortable with this. Posted via AC App on HTC One
  • That's why the mic on my PC is always disconnected. Posted via Android Central App
  • As much as I am for bettering technology - whether that be voice integration or waving my arms around for a more seamless experience this seems lazy to me on Google's part. Not everyone has the passion, understanding or the time to read technology like this and therefore wouldn't have found out about this type of issue. IMO this should be a "Beta" (could even be open beta) feature and taken off the main version that tons of end users may use and have no idea. Now I'm starting to understand the logic of end users who tape up their webcams because they font know better and aren't trusting companies to always have their interests at heart - seems to be one of them. Personally pop ups are always blocked so I'm okay but it's still an issue. Posted via Android Central App
  • If that's the "recommended and default setting" how did the browser switch to the other setting without the user intentionally changing away from the default?
  • One easy fix is use Firefox. It's much better in my opinion anyway. Seems to load faster and use less memory.
  • And this is what they do after they listen...
  • You could also pay attention to what popup windows happen to be open. It's not that hard. People need to learn to open their eyes when using a computer. So many exploits depend on users being barely sentient when computing.... Posted via Android Central App on Nexus 7 2013 LTE
  • hope google fix it soon
  • Is it all browsers? Should i do something to my firefox to prevent it from happening?