Israeli coder Tal Ater found the bug while working on his own speech recognition software.
Despite Google finding a way to fix the bug in October 2013 the update has yet to be rolled out to Chrome, he said.
Google said the current version complied with web standards defining how speech recognition should work.
"Even while not using your computer - conversations, meetings and phone calls next to your computer may be recorded and compromised," wrote Mr Ater in a blogpost explaining what he had found.
The bug emerges when malicious sites try to subvert the way Chrome handles speech recognition, he said.
Typically, people must manually grant permission to each site that wants to access a computer's microphone to listen in. Once permission has been granted Chrome lets people know a site is listening via a blinking red dot on the tab for that site.
In a video accompanying the blogpost, Mr Ater showed how a malicious attacker could use specially crafted code to exploit these permissions to launch a "pop-under" window that starts the speech recognition system.
"The malicious site you visited can continue listening in on you long after you have left it," said Mr Ater. "As long as Chrome is still running nothing said next to your computer is private."
Google was told about the bug in September last year, said Mr Ater and soon after found a way to fix it. However, this has yet to be included in updates for Chrome.
Mr Ater asked why Chrome remains vulnerable and was told that Google was still waiting for the World Wide Web consortium (W3C), which defines how the web develops, to make a decision about what to do.
"The security of our users is a top priority, and this feature was designed with security and privacy in mind," said a Google spokesperson. "We've re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it."
"The feature is in compliance with the current W3C specification, and we continue to work on improvements," he addedtold tech news site The Register.