Under Chrome's security model, a website that gets your permission to access your mic and camera once keeps it forever, regardless of which page is loaded -- so you might authorize an app running on one page of Github to use your mic, and thereafter, every Github page you visit can listen in on you automatically, without you getting any indication that this is going on. Google maintains that this is the right way for Chrome to behave -- that it complies with the relevant W3C standard.
Google has created a fix for this, but have not pushed it to Chrome users. If you want to protect your camera and mic from sneaky or unintended remote operation and you use Chrome, you'll need to take some extraordinary measures, which are laid out in this Lifehacker post. The simplest thing is to disable camera/mic access in Chrome altogether, but that sucks if there are some instances in which you'd like to have them switched on.
So where does this leave you? In short, not too far from where you started. The issue with Chrome, and Ater—along with other security experts—insist that it could be exploited and you may never know. While the argument continues on that end, what you can do is review the sites you've allowed to access your microphone and camera in Chrome. It's not difficult. Here's how:
1. Open chrome, and type chrome://settings/contentExceptions#media-stream into the Omnibar.
2. You'll see the Media Exceptions screen, where you can see which hostnames have permissions to your microphone and camera, and which of those two each site has access to.
3. Highlight any site you want to remove, and click the "x" on the right side of the line.
4. Save your changed by clicking Done.
PCWorld also notes that if you prefer, you can just go to: chrome://settings/content Scroll down to Media, and instead of "Ask me when a site wants to use a plug-in to access my camera and microphone" (which is the default setting), select "Do not allow any sites to access my camera and microphone," which is kind of the nuclear option.