Shazam brought its music-searching chops to the Mac over two years ago, but former NSA hacker and Mac security guru Patrick Wardle revealed this week that the app has a big flaw. With the version of the app for Apple desktops, the software continued listening even after it was turned off. That's right, the microphone on a Mac was still hot even after Shazam performed its duties and users flipped the switch. The company says it isn't saving anything extra, processing your conversations or storing what it overhears on its servers.
According to Shazam's vice president of global communications James Pearson, this is a feature and not a bug. If you'll recall, the always on nature of the app was touted during its announcement, a tool that would continue to run the company's identification methods in the background if you allowed it to do so. However, even with the software is specifically toggled "off," the mic is still on and it's still listening. Shazam only does this inside the Mac app, so if you're using it elsewhere, other versions don't work the same way.
"If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio," Person explained to Motherboard. He went on to say that if the microphone wasn't on, the user experience would suffer, causing users to "miss out" on whatever song they wanted to get more info on.
So, what if a hacker wanted to get their hands on the data that would allow them to listen in from your Mac? Well, Shazam claims that can't happen. The company's chief product officer Fabio Santini told CNET that the method the app uses to identify songs uses "fingerprints" or pieces of the audio that are then matched to other "fingerprints" in its database.
"Those points can't be reverse-engineered to reconstruct original audio," Santini said.
Never say never, Shazam. In response to this week's revelation, the company plans to "address" the issue in an upcoming update, but there's no word on when that might happen. Again, Shazam says that there's no risk to users with the app's current configuration. Wardle argues that a piece of malware could be engineered to pull audio from a Mac's microphone without having to turn it on.
"We could get creative an easily design a piece of malware that steals this recoding without having to initiate a recording itself (which would likely generate an alert)," Wardle explained.