Cyber Security researcher Craig Young found Bug in Google Home and Google Chromecast gadgets
It allows a cyber-criminal to find your location.
Google is expecting to fix in coming weeks.
Security researcher Craig is working with security firm Tripwire Vulnerability and Exposures Research Team (VERT), his research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame.
The bug works on Linux, Mac and Windows system and could target you through a web browser.
Young added in the blog,
It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and WiFi connection are sent directly to the device without any form of authentication.
According to CNET report,
Craig could use the web browser on the computer as a stepping stone to reach Chromecast or Google Home smart speaker that was connected to the same router. In the research, he was able to grab information about his own location from his chromecast.
How does it works?
The attacker doesn’t need to connect with your network, they just need to send you malicious link through E-mail with Social Engineering technique, by clicking on the link your location would be shared with a cyber-criminal.
Browser extensions and mobile apps can use their unrestricted network access to directly query the devices without relying on or waiting for a DNS cache refresh. This gives advertisers a direct path to obtain location data without alerting the end-user. The location data can then be correlated with other tracked web activity and possibly tied to a specific real-world identity, Craig added.
The Bug is still not Fixed yet.
We are expecting, Google is going to release a security patch in the next few weeks for its Home devices and Chromecast TV streaming stick.