QwikSec

Security Database

CVE

CWE

Training

CVE-2018-12716

Published: Jun 25, 2018

Modified: Sep 17, 2024

PUBLISHED

Description

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network, extracting the scan_results bssid fields, and sending these fields in a geolocation/v1/geolocate Google Maps Geolocation API request.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/

x_refsource_MISC

https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

x_refsource_MISC

https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability/

x_refsource_MISC

https://www.tripwire.com/state-of-security/vert/googles-newest-feature-find-my-home/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.