CVE-2018-12716

Name of the Vulnerable Software and Affected Versions Google Home and Chromecast devices (affected versions not specified, but versions before mid-July 2018 are impacted)

Description The issue concerns a lack of protection against DNS rebinding attacks in the API service of the affected devices. This allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network. Attackers can extract the scan results JSON data, specifically the bssid fields, and send these fields in a "geolocation/v1/geolocate" Google Maps Geolocation API request to obtain location information.

Recommendations For Google Home and Chromecast devices before mid-July 2018, at the moment, there is no information about a newer version that contains a fix for this vulnerability.