New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 783376 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Security: Chromecast model: NC2-6A5

Reported by yassine....@gmail.com, Nov 9 2017

Issue description

Stable channel for Windows (64-bit)
Microsoft Windows version 1703 build operatingsystem 15063.674
Chromecast model: NC2-6A5 
FFC ID: A4RNC2-6A5/ IC: 10395A-NC26A5/ CANMB-3 B/ MADE in CHINA

I can cast on other screens without any security or password input. For example I can cast to the same chromecast that my neighbour has. I can also see what's the neighbour is looking at if I go to the cast pictogram on GOOGLE CHROME web explorer. The same thing is that the neighbours can cast on my screen and they can see what I am casting.

I followed the folowing instructions.

ps: I want my reward on basis of Google Vulnerability Reward Program (VRP) Rules

Step 1: Set up casting from Chrome
If you're not already running Chrome, download Chrome. 
Ensure you're running the latest version of Chrome. If you're having trouble, here's how to get Chrome updates.
Though not required, we recommend you pin the Cast button to your Chrome toolbar.
If you plan to cast a tab to your Chromecast to watch video on TV, review the Minimum System Requirements to ensure that your computer and network are capable of supporting this.
Make sure your laptop/computer is connected to the same Wi-Fi network as your Chromecast device.
Check the Wi-Fi network of your Chromecast device. 
To check the Wi-Fi network of your computer, tap Wi-Fi  > connect to the network that matches your Chromecast device. 

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Operating System: [Please indicate OS, version, and service pack level]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]

 
PLUG IN CHROMECAST

Labels: Needs-Feedback
Any device on the same WiFi network as the Chromecast can cast to it. If your neighbour is using the same WiFi network as you, you will be able to cast to their device and they can cast to yours.

Please ensure that your WiFi network is secured with a password and that your neighbour cannot connect to it. If you do that and this issue persists, then please update this bug.
We have different WIFI connection and Different passwords
I am the only one that uses mine wifi and Iam the only one that has the password
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 10 2017

Cc: dominickn@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "dominickn@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -dominickn@chromium.org mfo...@chromium.org imch...@chromium.org
Components: Internals>Cast
Labels: OS-Windows
Owner: zhaobin@chromium.org
Status: Assigned (was: Unconfirmed)
+Cast folks to investigate whether this is an issue - I'm not an expert on this component.

Comment 6 by wfh@chromium.org, Nov 10 2017

The only way this could be happening is if either

1. you have "guest mode" (PIN sharing) enabled - see https://support.google.com/chromecast/answer/6109286 - and your neighbour is able to see the PIN on screen, and is physically close enough to be able to cast to your screen.
2. You are both on the same wifi network.

You can eliminate 1. by disabling guest mode - you can verify this is disabled by making sure there isn't a PIN displayed in the bottom left of your screen

You can eliminate 2 by changing the password on your wifi network, then if your neighbour is accidently on your network (or vice versa) then you should know. When you change your wifi password you will need to re-attach your Chromecast to your new network. If you change your wifi password and your chromecast is still working, then it's not on your wifi network.

Comment 7 by mfo...@chromium.org, Nov 10 2017

Cc: zhaobin@chromium.org
Labels: Needs-Feedback
Owner: ----
Status: Unconfirmed (was: Assigned)
Please let us know if this case falls in #1 or #2.
My case falls in #1

But i still can cast to the neighboors Chromecast without permission and I still can see what they are looking at (privacy) in the pictogram on the Chrome web explorer. For example I could see a website they where using to stream movies. And they could see me casting from a site. the adres of the site is shown if i click on the tap of casting on the webbrowser. 

So if I want I can stop the neighboors casting without permission. And I can cast what ever I want on their screens.

I think the default setting is always "guest mode ON ". 


Comment 9 by wfh@chromium.org, Nov 10 2017

hi. You must be on the same wifi network for this to be happening. Can you double check the wifi network you are on?
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 10 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "mfoltz@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
I did a password reset on my WIFI and reconected with my chromecast and enterted the new password on my google home App. And I still can cast to my neighboors Chromecast my devices laptop and phone are connected with the chromecast of my neighboors.

I never met my neighboor so I don't think they have my wifi password. And I don't remember giving it to someone!. And I'm really upset by the fact that other people can see what i'm browsing on the internet.

So I did the reset of my wifi network. Mine Chromecast asked for my new wifi-password. but I still can cast to the chromecast of my neighboors.

 
If I reset the chromecast it automatically goes in guest mode and shows the pin on the screen. So if a costumer doesn't know this and that are a lot of costumers everybody can connect with their Chromecast and know what they are browsing and casting. It comes like this out the box the guest mode is preset on enable. 

Also when I reset the WIFI password the Chrome cast reset itself and enables guest mode.
To be precise it's a external casting component the chromecast that you can attach to a screen with HDMI.

It's impossible that my neighboors could see my pin on my screen. And did everything you asked and I still can cast to my neighboors Chromecast. I did the wifi pasword change I changed my wifi name. 
Labels: Needs-Feedback
Would you be able to attach a video or screenshots of what you are seeing?

Can you explain why you mean by the "Chrome web explorer"?
Also, to clarify, are you saying that your Chromecast *in* in guest mode? Do you have this problem if you disable guest mode?
I can cast to the neighboors Chromecast without physically seeing or input of the PIN that's displayed on the screen. The extension on the webbrowser also shows info about the content. On the first screenshot you can see that i am connected with the chromecast of my neighboors. And the second screenshot you can see the content. 

I changed my wifi name and wifi password. The chromecast asks for the new wifi password. But then it's possible to connect with the chromecast without PIN input. Everybody thats close enough to the chromecast can connect without input  PIN.


Chromecast 1.png
112 KB View Download
Chromecast 2.png
120 KB View Download
Project Member

Comment 18 by sheriffbot@chromium.org, Nov 11 2017

Cc: est...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "estark@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
I don't even know wich one of my neighboors I am connected with. But I can see what they are casting. If they are using their chromecast.
Chromecast 3.png
194 KB View Download
It seems like if a chromecast is connected to a wifi network and guest mode is enabled everybody can connect to the chromecast if they are connected  to another wifi network.
Owner: imch...@chromium.org
Status: Assigned (was: Unconfirmed)
Cast people, could you please take a look at these screenshots and see if they look WAI or not?
Cc: johnpallett@chromium.org
Labels: Needs-Feedback
Hi, it seems there are at least a few possibilities:
1) Somehow your neighbor's device advertised itself to your network (i.e. the device advertisement traffic somehow "tunneled" from their network to yours. I am not a networks expert, but maybe this is possible under certain setup?)
2) Your neighbor's device has guest mode enabled, and somehow your machine is able to pick up the device. (Guest mode doesn't work on desktop though, so this seems unlikely)
3) Somehow you are also connected to your neighbor's network in addition to your own.

Could you please send us additional feedback by right clicking on the cast icon on the browser menu, and then choosing "Report an issue"? Plase check the "Send debug logs" box and include your email in the feedback so we can locate it. Thank you.
I just sent it.
Labels: Security_Severity-Medium M-62 Security_Impact-Stable
Adding some labels that were missing.
Project Member

Comment 27 by sheriffbot@chromium.org, Nov 15 2017

Labels: Pri-1
Project Member

Comment 28 by sheriffbot@chromium.org, Nov 28 2017

imcheng: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
So mfoltz@ and I looked over the feedback report. We found that your neighbor's device is somehow advertising itself to your network, using a public IP address no less (!), which explains why your computer is able to connect to it. This was surprising to us because device discovery is only intended to work within your local network, and devices are only advertised with private IP addresses. Conceptually, what seems to be happening here is that there is a router one level up (perhaps you and your neighbor's ISP) that is acting as if you and your neighbor's local networks are one and the same, and routing traffic between them.

Because desktop Chrome doesn't support guest mode, this suggests a network misconfiguration for you and/or your neighbor. As a potential remedy I would suggest resetting your router to defaults and asking your neighbor to do the same. If the problem persists, I would suggest checking with your ISP to further investigate the issue.

In the meantime we have filed https://bugs.chromium.org/p/chromium/issues/detail?id=786109 to restrict cast devices to private IP addresses only.
I don't know who my neighbor's are that are connected with my computer. So what you are suggesting is a little bit akward to look with who'm I connected and ask if they can default there router cause I can see what they are watching with there device. This problem is a serious privacy issue that isn't allowed to happen. Who can tell me that there is not more people connected with mine device and can see what i am watching on my device. I am not a computerexpert to sort that kind of things out?








And if the problem is solved with https://bugs.chromium.org/p/chromium/issues/detail?id=786109

ps: I want my reward on basis of Google Vulnerability Reward Program (VRP) Rules
Project Member

Comment 32 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63
Project Member

Comment 33 by sheriffbot@chromium.org, Dec 13 2017

imcheng: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Fixed (was: Assigned)
This is fixed in M64 per  issue 786109 .
i still can cast to neighboor's device.


Project Member

Comment 36 by sheriffbot@chromium.org, Dec 14 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
?

I want my reward on basis of Google Vulnerability Reward Program (VRP) Rules
Hi yassine.elaz@, can you confirm that the issue is fixed in Chrome 64, which is available on the Beta channel: https://www.chromium.org/getting-involved/dev-channel ?

Thanks!
It seems like it been fixxed I can't cast to my neighboors chromecast anymore

?

?

I didn't got feedback from you?

Labels: reward-topanel
yassine.elaz@ - this bug is one of meany we deal with. I'm sorry if you think we have been slow to get back to you. 

We will be considering this bug for a reward at our next VRP panel, now that it has been confirmed to be fixed.  Please note that comments making demands for rewards does nothing to increase the speed or likelihood of receiving one.
Oke thanks understood.
Labels: -M-63 Release-0-M64 M-64
yassine.elaz@ one thing: how would you like to be credited on the Chrome release notes?
What are the options? I never did this before.

Cc: awhalley@chromium.org
It's usually a name + a social media or short web link. See https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html for examples
Yassine Elaz

Comment 51 Deleted

Labels: -Type-Bug-Security -Restrict-View-SecurityNotify -reward-topanel -Security_Impact-Stable -Security_Severity-Medium -Release-0-M64 -CVE-2018-6044 reward-0 Type-Bug
Hi Yassine. This report came before the VRP panel, and I'm very sorry to say that they decided it should be treated as a functional bug, rater than a security issue. While the situation you described did indeed have security implications, the bug lies with your ISP (see the details in comment 29). While we did make a change based on this report ( issue 786109 ) that was also tracked as a functional change and was a hardening measure, not a security bug fix.  Because of this I'm afraid this issue isn't eligible for the Chrome VRP and we shouldn't have issued a CVE.

Thank you for the report, and I'm glad that the issue is now fixed for you.  I am removing the view restrictions on this bug so you can send it to your ISP if you wish to follow up with to confirm they are no longer routing traffic between your and your neighbour's networks.
Sorry I am not so technical to understand ISP and routing traffic and other technical things. I am a consumer and I expect that if I use a product from google it have to functionate properly and protect my privacy and security. 

I wan't to explain why it was a real security issue in my opinion and in my case. And this all occured when the device didn't function properly.

I could stream videos to my neighboors device and could project everything I wanted on it. What if there where childrens watching TV and I would stream horror movies or pornografic videos. their security wouldn't be secure. I had acces and control over their device and that for me is a security issue.

I used my device for over a year and in that whole time people could see what I was watching on my TV. My privacy wasn't secure all the time I used my device. I could also see what my neighboor was watching so here privacy wasn't secure too. they could see wich website I was visiting and I could see wich website she was visiting. if I ám streaming sensitive site's to my device my neighboor could see it. And everyone that was using the same device.

I did All the steps you all asked me to do from the beginning and the problems weren't solved. I really had to push to get to a result. 

I have screenshots from the beginning. And I can show that the problems weren't solved.

I also wan't to ask you if there are other steps I could take. Cause I really don't like the way it has been labeled as a funtional bug. 

Hi Yassine. Firstly, I would like to thank you again for providing so much help such as sending us the debug logs. I also agree that there was a privacy problem here, calling this bug a functional bug doesn't detract from that. It's more a question of where the problem lies.

Chromecast is intended to be shared by users on the same network. Imagine you and your neighbour agreed to share an internet connection by using the same wifi network. In that case the behaviour you describe would be expected: you'd both be on the same network. The problem here is that your internet service provider, who should be keeping  your and your neighbour's networks separate are in fact treating them as the same - as if there was a ethernet cable running directly between your two routers. The Chromecasts then, correctly, think they are on the same network and exhibit the behaviour you describe.

This ISP misconfiguration might well be a security or privacy problem for other products on your network, so while the change we made  issue 786109  might help with the Chromecast in this case, the real fix has to be made by your ISP.

Showing this bug to your ISP's support team should be sufficient for them to help, though they may need you to take some more steps to provide them with logs.

Good luck! 

Sign in to add a comment