An anonymous reader writes "Last year Google rolled out a new feature for the desktop version of Chrome that enabled support for voice recognition directly into the browser. In September, a developer named Tal Ater found a bug that would allow a malicious site to record through your microphone even after you'd told it to stop. Quoting: 'When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can't start listening to you in background windows that are hidden to you. When you click the button to start or stop the speech recognition on the site, what you won't notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn't even know was there.' Ater reported this to Google in September, and they had a fix ready a few days later. But they haven't rolled it out yet — they can't decide whether or not it's the proper way to block this behavior. Thus: the exploit remains. Ater has published the source code for the exploit to encourage Google to fix it."