Google has recently been informed of a major security vulnerability that would allow malicious people to record audio or video without user permission using Chrome. The most up-to-date and used browsers support WebRTC technology, or Real-Time Communications Web, which supports real-time communication with no need for additional plugins. By doing so, you can create audio and video chat services, share your screen, share data in p2p and so on.
Of course, this has also some negative implications: WebRTC may leak the local IP address in browsers that support the technology. This vulnerability affects Chrome and many other browsers: once you allow the malicious site to use WebRTC, it may start recording audio or video through a JavaScript window that goes unnoticed. Chrome does not show the user what’s happening because the Javascript window has no header, so it doesn’t show the user anything special.
A member of the Chromium development team confirms the existence of this issue but does not classify it as a security vulnerability, rather a privacy problem. Google may intervene on the matter shortly; meanwhile, you can protect yourself by not allowing unknown sites to use WebRTC.