Google LLC is promising to issue a fix within weeks for an authentication issue within its Google Home speakers and Chromecast devices that lets hackers easily obtain the home address of a user.

Discovered by Craig Young, a researcher with security firm Tripwire Inc., the vulnerability exploits a loophole in Google’s systems to cross-check a list of nearby wireless networks relative to the given device with Google’s geolocation look-up services.

That could allow a would-be hacker to triangulate the location of the given target, exposing users of the device to having their physical location identified.

Somewhat oddly for a vulnerability, hackers do not need to obtain access to one of the Google devices immediately. The exploit can be served via a website being viewed on a computer or smartphone on the network, with the code then scanning for the Google devices to identify the victim.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

The good news is that at the moment, Young has only disclosed that it’s possible and provided a proof-of-concept, meaning that there are no known examples of the exploit being used in the wild before. That said, it soon could be.

Beyond privacy issues relating to a Chromecast or Google Home leaking a user’s precise geographic location, Young noted that the bug could help scammers make phishing and extortion attacks appear more realistic. “Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings,” Young warned.

Photo: Duncan Riley