Google Home, Chromecast Fix for Location Data Flaw Coming in Mid-July: Report

Share on Facebook Tweet Share Reddit Comment
Google Home, Chromecast Fix for Location Data Flaw Coming in Mid-July: Report


  • The flaw is said to leak precise location data of the user
  • Malicious content needs to be opened for one minute to leak location data
  • Update will be issued by next month

Google's catalogue of smart home gadgets include the Google Home smart speaker range as well as the popular Chromecast streaming device. Fresh reports are now coming in that indicate Google might soon push out an update to fix a glaring bug that allows websites to easily run a script that can acquire precise location data of the user with any of these devices. As per the report, the attack is made possible by getting the victim to open a link on the same Wi-Fi network as the Google device. To track the location, however, the link will need to remain open for one minute before location can be traced back.

Content in the attack could be disguised in the form of an advertisement, tweet, or any other medium, reports KrebsOnSecurity. Notably, websites save location information in the form of IP addresses, which are not accurate enough to detect precise location information. However, Google's smart home devices link Wi-Fi networks to their corresponding physical location thanks to access to "comprehensive maps of wireless network names across the world."

"The difference between this and a basic IP geolocation is the level of precision. For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I've been consistently getting locations within about 10 meters of the device," said Craig Young, a researcher with security firm Tripwire.

The researcher also notes that this kind of a bug could give the much-needed authenticity and credibility to phishing and extortion scams by letting the attacker know the precise location of the victim. Initially, Young states that Google had ignored his bug report with a "Status: Won't Fix (Intended Behaviour)" message. However, Google has now told KrebsOnSecurity that it plans to issue an update by mid-July 2018.

This major privacy flaw is said to have arisen because of the nature of Google Home and Chromecast devices that have questionable authentication for connections that are received on a local network. For this, Young suggests that all requests should be authenticated and all unauthenticated requests should be generic.


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: Google Home, Chromecast, Google
Google Maps Uber Booking Integration Removed From Android, iOS Apps
Trump Wants to Dominate Space, Moon and Mars