The loophole could allow attack websites to determine a user’s precise location
The loophole could be used by unscrupulous attackers to make phishing or extortion attacks appear more realistic by including the recipient’s location, such as their street address, according to Tripwire researcher Craig Young, who discovered it.
Young said the issue stems in part from the fact that devices such as the Google Home smart speaker, and Chromecast, which streams media content to a monitor or television, don’t require authentication from connections over a local network.
That means a website could run a simple script to access information from those devices that can be used along with Google’s geolocation lookup service to determine the devices’ location.
“For many years now, device makers have focused to a large degree on a low-friction user experience that ultimately lends itself to abuse,” Young wrote in an advisory.
Unlike an IP address, which only offers a general location, usually within several miles, Google’s geolocation service – which relies on a catalogue of large numbers of wireless networks – can locate devices within a few feet.
Users’ web browsers generally block websites from accessing the information they would need to perform a lookup, unless it’s specifically authorised, but Young said if a Google Home or Chromecast device is located anywhere on the user’s wired or wireless network, an attack script could access those devices and obtain the needed data.
The script would require the user to click on a link that could be embedded in an advertisement or a Twitter post, Young told the Krebs On Security website.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young said, adding that the link would need to remain open for about a minute for the data to be gathered.
Young told Google about the issue in May, but the company didn’t initially plan to fix the issue, saying it was “intended behaviour”.
It’s now planning a patch in mid-July.
Do you know all about security? Try our quiz!