Description
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network, extracting the scan_results bssid fields, and sending these fields in a geolocation/v1/geolocate Google Maps Geolocation API request.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/
Various Sources x_refsource_misc
https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
Third Party Advisory x_refsource_misc
https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability/
Third Party Advisory x_refsource_misc
https://www.tripwire.com/state-of-security/vert/googles-newest-feature-find-my-home/
Scores
CVSS v3
4.3
EPSS
0.0070
EPSS Percentile
48.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
google/chromecast_firmware
google/home_firmware
Published
Jun 25, 2018
Tracked Since
Feb 18, 2026