Google is planning on fixing a bug on Chromecast TV streaming stick and Home that reveals user’s location. This bug lets a website collect precise user location data, according to a report from security reporter Brian Krebs. This bug exploits a loophole in Google’s systems to cross-check a list of nearby wireless networks with Google’s precise geolocation look-up services.
By using the location gained by the nearby Wi-Fi networks through a Google Home or Chromecast, malicious websites can triangulate a user’s location. Since these devices barely need any authentication from third parties to receive data on local networks, they exploit the generous permissions to collect any sensitive data.
It is common for Web sites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and these addresses can be used in combination with online geolocation to glean information about each visitor’s hometown or region. However, this type of location information is often quite imprecise. This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location.
This gives Google an advantage to determine a user’s location to within a few feet by triangulating the user between several nearby mapped Wi-Fi access points. The fix to this bug is expected to arrive sometime in the middle of July.
Commenting on the same, Young told KrebsOnSecurity:
An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.