Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Shazam for Mac Keeps Listening Even When Disabled

The Mac version of the Shazam music discovery application keeps the device’s microphone active even after the user has switched off the app. While it doesn’t appear that Shazam is trying to spy on users, this behavior does have some security implications.

The Mac version of the Shazam music discovery application keeps the device’s microphone active even after the user has switched off the app. While it doesn’t appear that Shazam is trying to spy on users, this behavior does have some security implications.

Patrick Wardle, director of research at Synack, recently warned that malware could silently spy on Mac OS X users through the device’s webcam and microphone by piggybacking on legitimate applications that use these functions, such as FaceTime and Skype.

In an effort to help people protect themselves against potential attacks, Wardle developed a tool, named OverSight, that alerts the user when the webcam or the microphone become active and allows them to block the process if it seems suspicious.

One user of the OverSight tool discovered that the Shazam widget keeps the microphone active even when the app has been switched off. Wardle has reverse engineered Shazam and confirmed that the application continues recording even after it has been turned off, but the expert determined that it does not process the audio data while disabled.

“Though it appears that Shazam is always recording even when the user has toggled it ‘OFF’, I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc),” Wardle said in a blog post. “However, I still don’t like an app that appears to be constantly pulling audio off my computer’s internal mic. As such, I’m uninstalling Shazam as quickly as possible!”

The researcher believes a piece of malware could exploit this functionality to capture audio from the microphone without initiating a recording itself.

Shazam developers don’t see this behavior as a serious security risk, but they have promised to address the issue in the next days.

“We are always sensitive to what our users experience and we respect these concerns and take them very seriously. Even though we don’t recognize a meaningful risk, the company will be updating its Mac app within the next few days,” James A. Pearson, VP of global communications at Shazam, said in an emailed statement. “Shazam has always learned from and listened to our global community. More importantly, we want our fans to always feel secure about using Shazam on a Mac Desktop.”

Advertisement. Scroll to continue reading.

“Contrary to recent rumors, Shazam doesn’t record anything. Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted,” Pearson added.

*Updated with additional clarifications from Shazam

Related: New Tool Aims to Generically Detect Mac OS X Ransomware

Related: Little Snitch Flaw Exposed Mac Systems to Attacks

Related: Apple’s Gatekeeper Bypassed Again

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.