A bug discovered in Chromecast and Google Home devices allows any website to access a user’s precise location by detecting nearby networks. Google promises a fix is planned for a release next month.
A bug has been discovered in Google’s Chromecast and Google Home devices, which allows any website to access Google’s precise location service to find out the exact position of the devices with a margin of error of just a few feet.
Websites can usually obtain a general idea of the user’s location through the IP address of the device accessing the website, but this method isn’t extremely precise and the privacy of visitors is protected to some extent. Google, however, uses high-precision location services that rely on wireless networks around the user to narrow down the possible locations of the device based on the triangulation in relation to those networks. Krebs on Security explains:
The bug in these devices essentially allows any website to see nearby wireless connections and cross-reference with Google’s database to determine the precise location of the user. Craig Young, the researcher who discovered the flaw, says that « Although Google’s app, which uses this functionality, implies that you must be logged into a Google account linked with the target device, there is, in fact, no authentication mechanism built into the protocol level ». You can see the bug in action in the video below:
Young says he was only able to test the flaw in three different locations, but in each case, the location obtained by the website corresponded to the right street address. When the researcher initially filed a bug report to Google describing the issue, the company dismissed the report, closing it with the message « Won’t Fix [Intended Behavior] ». But upon being contacted by Krebs on Security, the company said it would fix the issue through an update scheduled for release in July.
User privacy has been a major topic of discussion recently, with Facebook often taking the spotlight for the worst reasons, but this bug – and Google’s initial response to it – seem to indicate that the social network isn’t the only one making some mistakes.
Source: Tripwire, Krebs on Security via The Verge
