The issue revolves around a website’s ability to activate your camera and audio recorder. Google uses an API which legitimate developers call, that displays a distinctive red dot on the browser tab when the page in question activates your laptop’s camera and recording equipment (like it does when you activate a video call via a Google Hangout page, for example).
From a practical standpoint, that means that any webmaster using the code could spy on you, and you’d be none the wiser. Worse, although Google has been informed of this flaw, they’ve decided that it’s not a critical security issue, so there are no immediate plans to issue a patch to correct it.
As a user, you don’t really have many good options here, except to disable your equipment or cover the camera when you’re not actively using it.
Neither of these are perfect options. If a hacker can remote-activate the camera, then they can also enable it, even if you’ve disabled it electronically or covered your camera lens. These measures also don’t prevent a hacker from listening in on you and everyone in the immediate vicinity of your laptop.
These kinds of dangers are becoming increasingly common. Just last year, Samsung got into hot water over the fact that its Smart TV’s record everything said in their vicinity, and that data is saved on a Samsung server where it could potentially be captured by hackers, and Amazon’s Echo has made the news for similar reasons.
There are no easy answers or fixes here, so users beware.