Malicious people can eavesdrop on Chrome users through hidden window
Chrome contains a bug that allows malicious parties to eavesdrop on users via the permission to use the microphone. This also works after users have closed the tab with the site in question, via a pop-under.
Developer Tal Ater reported the bug to Google in September, but now that a fix is still not in Chrome after four months, he has put an explanation of the bug on his site. Exploiting the flaw isn’t easy: an attacker has to get the user to give permission to turn on the microphone, something many users won’t be willing to do.
When the user is on the site or closes the tab, the site opens a pop-under. Thanks to this pop-under, the site can continue to listen in with the user. The pop-under is not active, but is visible in the background.
The bug has not yet been fixed, according to Google, because it is still investigating the correct behavior for the permission to use the microphone. In addition, Google sees no threat in it, because users have to give permission themselves to turn on the microphone.