Former NSA hacker Patrick Wardle made the discovery using an app he created to inform users when apps are accessing their microphone or webcam. While he is uncertain how significant the problem is, Wardle suggests that the Shazam app could potentially facilitate a hacker gaining access to a user's microphone.
"On one hand, even when you click 'OFF' Shazam continues to consume audio off the internal microphone. On the other hand, they don't appear to process or use this data in any way. Still, 'OFF' should mean off . and due to their actions, we could get creative and easily design a piece of malware that steals this recoding without having to initiate a recording itself," Wardle wrote in a post on his Mac security tools website Objective-See.
While Shazam initially responded to Wardle to confirm his findings and state that the company will "address this in a future update", the company's VP of global communications James Pearson later told Motherboard that the app is working as intended.
"There is no privacy issue since the audio is not processed unless the user actively turns the app "ON." If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users "miss out" on a song they were trying to identify," Pearson said in a statement.
Since Shazam doesn't consider always-on microphone access to be an issue, Pearson said the company doesn't intend to alter the app's functionality.
"Shazam takes user privacy very seriously. Shazam does not save or send audio samples; only digital fingerprint summaries of the audio are sent to Shazam's servers to identify media content in Shazam's databases. As always, for user privacy, the original audio cannot be reconstructed from Shazam audio fingerprints," Pearson said.
Despite these assurances, Wardle believes the issue is still cause for concern.
"I still don't like an app that appears to be constantly pulling audio off my computers internal mic. As such, I'm uninstalling Shazam as quickly as possible!" he said.
Update: Shazam has reached out to say the company will be updating its Mac app soon in response to concerns.
"We are always sensitive to what our users experience and we respect these concerns and take them very seriously. Even though we don't recognize a meaningful risk, the company will be updating its Mac app within the next few days. Shazam has always learned from and listened to our global community. More importantly, we want our fans to always feel secure about using Shazam on a Mac Desktop," Shazam's VP of global communications James Pearson said.
"Contrary to recent rumors, Shazam doesn't record anything. Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam's database and then deleted," Pearson said.