Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Shazam for Mac Keeps Listening Even When Disabled

The Mac version of the Shazam music discovery application keeps the device’s microphone active even after the user has switched off the app. While it doesn’t appear that Shazam is trying to spy on users, this behavior does have some security implications.

The Mac version of the Shazam music discovery application keeps the device’s microphone active even after the user has switched off the app. While it doesn’t appear that Shazam is trying to spy on users, this behavior does have some security implications.

Patrick Wardle, director of research at Synack, recently warned that malware could silently spy on Mac OS X users through the device’s webcam and microphone by piggybacking on legitimate applications that use these functions, such as FaceTime and Skype.

In an effort to help people protect themselves against potential attacks, Wardle developed a tool, named OverSight, that alerts the user when the webcam or the microphone become active and allows them to block the process if it seems suspicious.

One user of the OverSight tool discovered that the Shazam widget keeps the microphone active even when the app has been switched off. Wardle has reverse engineered Shazam and confirmed that the application continues recording even after it has been turned off, but the expert determined that it does not process the audio data while disabled.

“Though it appears that Shazam is always recording even when the user has toggled it ‘OFF’, I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc),” Wardle said in a blog post. “However, I still don’t like an app that appears to be constantly pulling audio off my computer’s internal mic. As such, I’m uninstalling Shazam as quickly as possible!”

The researcher believes a piece of malware could exploit this functionality to capture audio from the microphone without initiating a recording itself.

Shazam developers don’t see this behavior as a serious security risk, but they have promised to address the issue in the next days.

“We are always sensitive to what our users experience and we respect these concerns and take them very seriously. Even though we don’t recognize a meaningful risk, the company will be updating its Mac app within the next few days,” James A. Pearson, VP of global communications at Shazam, said in an emailed statement. “Shazam has always learned from and listened to our global community. More importantly, we want our fans to always feel secure about using Shazam on a Mac Desktop.”

“Contrary to recent rumors, Shazam doesn’t record anything. Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted,” Pearson added.

*Updated with additional clarifications from Shazam

Related: New Tool Aims to Generically Detect Mac OS X Ransomware

Related: Little Snitch Flaw Exposed Mac Systems to Attacks

Related: Apple’s Gatekeeper Bypassed Again

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cyberwarfare

U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cyberwarfare

The U.S. is tracking a suspected Chinese spy balloon spotted over U.S. airspace, officials said on Feb. 2, 2023.

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...