The developer was quick to report the exploit to Google’s security team in private back in September 2013. In less than a week, Google’s engineers have found the bugs, suggested fixes, and in the next five days a patch was ready. By the way, the developer’s find was nominated for Chromium’s Reward Panel.
The strange thing was that as time passed, the fix wasn’t released. When asked why, Google’s team answered that there was an ongoing discussion within the Standards group, to agree on the best course of action. In other words, the company couldn’t decide what to do, though there were not many options.
It’s 2014 already, but Google is still waiting for the Standards group to agree on the correct behavior, while leaving Chrome browser vulnerable. Indeed, all it takes is a user to visit a website exploiting speech recognition to offer some interesting new functionality.