Security: Chromecast model: NC2-6A5
Reported by
yassine....@gmail.com,
Nov 9 2017
|
|||||||||||||||||||
Issue descriptionStable channel for Windows (64-bit) Microsoft Windows version 1703 build operatingsystem 15063.674 Chromecast model: NC2-6A5 FFC ID: A4RNC2-6A5/ IC: 10395A-NC26A5/ CANMB-3 B/ MADE in CHINA I can cast on other screens without any security or password input. For example I can cast to the same chromecast that my neighbour has. I can also see what's the neighbour is looking at if I go to the cast pictogram on GOOGLE CHROME web explorer. The same thing is that the neighbours can cast on my screen and they can see what I am casting. I followed the folowing instructions. ps: I want my reward on basis of Google Vulnerability Reward Program (VRP) Rules Step 1: Set up casting from Chrome If you're not already running Chrome, download Chrome. Ensure you're running the latest version of Chrome. If you're having trouble, here's how to get Chrome updates. Though not required, we recommend you pin the Cast button to your Chrome toolbar. If you plan to cast a tab to your Chromecast to watch video on TV, review the Minimum System Requirements to ensure that your computer and network are capable of supporting this. Make sure your laptop/computer is connected to the same Wi-Fi network as your Chromecast device. Check the Wi-Fi network of your Chromecast device. To check the Wi-Fi network of your computer, tap Wi-Fi > connect to the network that matches your Chromecast device. This template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com /chromium/src/+/master/docs/security/faq.md Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. VERSION Chrome Version: [x.x.x.x] + [stable, beta, or dev] Operating System: [Please indicate OS, version, and service pack level] REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace *with symbols*, registers, exception record] Client ID (if relevant): [see link above]
,
Nov 10 2017
Any device on the same WiFi network as the Chromecast can cast to it. If your neighbour is using the same WiFi network as you, you will be able to cast to their device and they can cast to yours. Please ensure that your WiFi network is secured with a password and that your neighbour cannot connect to it. If you do that and this issue persists, then please update this bug.
,
Nov 10 2017
We have different WIFI connection and Different passwords I am the only one that uses mine wifi and Iam the only one that has the password
,
Nov 10 2017
Thank you for providing more feedback. Adding requester "dominickn@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 10 2017
+Cast folks to investigate whether this is an issue - I'm not an expert on this component.
,
Nov 10 2017
The only way this could be happening is if either 1. you have "guest mode" (PIN sharing) enabled - see https://support.google.com/chromecast/answer/6109286 - and your neighbour is able to see the PIN on screen, and is physically close enough to be able to cast to your screen. 2. You are both on the same wifi network. You can eliminate 1. by disabling guest mode - you can verify this is disabled by making sure there isn't a PIN displayed in the bottom left of your screen You can eliminate 2 by changing the password on your wifi network, then if your neighbour is accidently on your network (or vice versa) then you should know. When you change your wifi password you will need to re-attach your Chromecast to your new network. If you change your wifi password and your chromecast is still working, then it's not on your wifi network.
,
Nov 10 2017
Please let us know if this case falls in #1 or #2.
,
Nov 10 2017
My case falls in #1 But i still can cast to the neighboors Chromecast without permission and I still can see what they are looking at (privacy) in the pictogram on the Chrome web explorer. For example I could see a website they where using to stream movies. And they could see me casting from a site. the adres of the site is shown if i click on the tap of casting on the webbrowser. So if I want I can stop the neighboors casting without permission. And I can cast what ever I want on their screens. I think the default setting is always "guest mode ON ".
,
Nov 10 2017
hi. You must be on the same wifi network for this to be happening. Can you double check the wifi network you are on?
,
Nov 10 2017
Thank you for providing more feedback. Adding requester "mfoltz@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 10 2017
I did a password reset on my WIFI and reconected with my chromecast and enterted the new password on my google home App. And I still can cast to my neighboors Chromecast my devices laptop and phone are connected with the chromecast of my neighboors. I never met my neighboor so I don't think they have my wifi password. And I don't remember giving it to someone!. And I'm really upset by the fact that other people can see what i'm browsing on the internet. So I did the reset of my wifi network. Mine Chromecast asked for my new wifi-password. but I still can cast to the chromecast of my neighboors.
,
Nov 10 2017
If I reset the chromecast it automatically goes in guest mode and shows the pin on the screen. So if a costumer doesn't know this and that are a lot of costumers everybody can connect with their Chromecast and know what they are browsing and casting. It comes like this out the box the guest mode is preset on enable. Also when I reset the WIFI password the Chrome cast reset itself and enables guest mode.
,
Nov 10 2017
To be precise it's a external casting component the chromecast that you can attach to a screen with HDMI.
,
Nov 10 2017
It's impossible that my neighboors could see my pin on my screen. And did everything you asked and I still can cast to my neighboors Chromecast. I did the wifi pasword change I changed my wifi name.
,
Nov 11 2017
Would you be able to attach a video or screenshots of what you are seeing? Can you explain why you mean by the "Chrome web explorer"?
,
Nov 11 2017
Also, to clarify, are you saying that your Chromecast *in* in guest mode? Do you have this problem if you disable guest mode?
,
Nov 11 2017
I can cast to the neighboors Chromecast without physically seeing or input of the PIN that's displayed on the screen. The extension on the webbrowser also shows info about the content. On the first screenshot you can see that i am connected with the chromecast of my neighboors. And the second screenshot you can see the content. I changed my wifi name and wifi password. The chromecast asks for the new wifi password. But then it's possible to connect with the chromecast without PIN input. Everybody thats close enough to the chromecast can connect without input PIN.
,
Nov 11 2017
Thank you for providing more feedback. Adding requester "estark@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 11 2017
I don't even know wich one of my neighboors I am connected with. But I can see what they are casting. If they are using their chromecast.
,
Nov 11 2017
It seems like if a chromecast is connected to a wifi network and guest mode is enabled everybody can connect to the chromecast if they are connected to another wifi network.
,
Nov 12 2017
Cast people, could you please take a look at these screenshots and see if they look WAI or not?
,
Nov 13 2017
,
Nov 13 2017
Hi, it seems there are at least a few possibilities: 1) Somehow your neighbor's device advertised itself to your network (i.e. the device advertisement traffic somehow "tunneled" from their network to yours. I am not a networks expert, but maybe this is possible under certain setup?) 2) Your neighbor's device has guest mode enabled, and somehow your machine is able to pick up the device. (Guest mode doesn't work on desktop though, so this seems unlikely) 3) Somehow you are also connected to your neighbor's network in addition to your own. Could you please send us additional feedback by right clicking on the cast icon on the browser menu, and then choosing "Report an issue"? Plase check the "Send debug logs" box and include your email in the feedback so we can locate it. Thank you.
,
Nov 13 2017
I just sent it.
,
Nov 14 2017
Adding some labels that were missing.
,
Nov 15 2017
,
Nov 28 2017
imcheng: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28 2017
So mfoltz@ and I looked over the feedback report. We found that your neighbor's device is somehow advertising itself to your network, using a public IP address no less (!), which explains why your computer is able to connect to it. This was surprising to us because device discovery is only intended to work within your local network, and devices are only advertised with private IP addresses. Conceptually, what seems to be happening here is that there is a router one level up (perhaps you and your neighbor's ISP) that is acting as if you and your neighbor's local networks are one and the same, and routing traffic between them. Because desktop Chrome doesn't support guest mode, this suggests a network misconfiguration for you and/or your neighbor. As a potential remedy I would suggest resetting your router to defaults and asking your neighbor to do the same. If the problem persists, I would suggest checking with your ISP to further investigate the issue. In the meantime we have filed https://bugs.chromium.org/p/chromium/issues/detail?id=786109 to restrict cast devices to private IP addresses only.
,
Nov 28 2017
I don't know who my neighbor's are that are connected with my computer. So what you are suggesting is a little bit akward to look with who'm I connected and ask if they can default there router cause I can see what they are watching with there device. This problem is a serious privacy issue that isn't allowed to happen. Who can tell me that there is not more people connected with mine device and can see what i am watching on my device. I am not a computerexpert to sort that kind of things out?
,
Nov 28 2017
And if the problem is solved with https://bugs.chromium.org/p/chromium/issues/detail?id=786109 ps: I want my reward on basis of Google Vulnerability Reward Program (VRP) Rules
,
Dec 7 2017
,
Dec 13 2017
imcheng: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 13 2017
,
Dec 13 2017
i still can cast to neighboor's device.
,
Dec 14 2017
,
Jan 2 2018
?
,
Jan 2 2018
I want my reward on basis of Google Vulnerability Reward Program (VRP) Rules
,
Jan 2 2018
Hi yassine.elaz@, can you confirm that the issue is fixed in Chrome 64, which is available on the Beta channel: https://www.chromium.org/getting-involved/dev-channel ? Thanks!
,
Jan 2 2018
It seems like it been fixxed I can't cast to my neighboors chromecast anymore
,
Jan 5 2018
?
,
Jan 21 2018
?
,
Jan 21 2018
I didn't got feedback from you?
,
Jan 22 2018
yassine.elaz@ - this bug is one of meany we deal with. I'm sorry if you think we have been slow to get back to you. We will be considering this bug for a reward at our next VRP panel, now that it has been confirmed to be fixed. Please note that comments making demands for rewards does nothing to increase the speed or likelihood of receiving one.
,
Jan 22 2018
Oke thanks understood.
,
Jan 22 2018
,
Jan 22 2018
yassine.elaz@ one thing: how would you like to be credited on the Chrome release notes?
,
Jan 23 2018
What are the options? I never did this before.
,
Jan 23 2018
It's usually a name + a social media or short web link. See https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html for examples
,
Jan 23 2018
Yassine Elaz
,
Feb 5 2018
Hi Yassine. This report came before the VRP panel, and I'm very sorry to say that they decided it should be treated as a functional bug, rater than a security issue. While the situation you described did indeed have security implications, the bug lies with your ISP (see the details in comment 29). While we did make a change based on this report ( issue 786109 ) that was also tracked as a functional change and was a hardening measure, not a security bug fix. Because of this I'm afraid this issue isn't eligible for the Chrome VRP and we shouldn't have issued a CVE. Thank you for the report, and I'm glad that the issue is now fixed for you. I am removing the view restrictions on this bug so you can send it to your ISP if you wish to follow up with to confirm they are no longer routing traffic between your and your neighbour's networks.
,
Feb 10 2018
Sorry I am not so technical to understand ISP and routing traffic and other technical things. I am a consumer and I expect that if I use a product from google it have to functionate properly and protect my privacy and security. I wan't to explain why it was a real security issue in my opinion and in my case. And this all occured when the device didn't function properly. I could stream videos to my neighboors device and could project everything I wanted on it. What if there where childrens watching TV and I would stream horror movies or pornografic videos. their security wouldn't be secure. I had acces and control over their device and that for me is a security issue. I used my device for over a year and in that whole time people could see what I was watching on my TV. My privacy wasn't secure all the time I used my device. I could also see what my neighboor was watching so here privacy wasn't secure too. they could see wich website I was visiting and I could see wich website she was visiting. if I ám streaming sensitive site's to my device my neighboor could see it. And everyone that was using the same device. I did All the steps you all asked me to do from the beginning and the problems weren't solved. I really had to push to get to a result. I have screenshots from the beginning. And I can show that the problems weren't solved. I also wan't to ask you if there are other steps I could take. Cause I really don't like the way it has been labeled as a funtional bug.
,
Feb 13 2018
Hi Yassine. Firstly, I would like to thank you again for providing so much help such as sending us the debug logs. I also agree that there was a privacy problem here, calling this bug a functional bug doesn't detract from that. It's more a question of where the problem lies. Chromecast is intended to be shared by users on the same network. Imagine you and your neighbour agreed to share an internet connection by using the same wifi network. In that case the behaviour you describe would be expected: you'd both be on the same network. The problem here is that your internet service provider, who should be keeping your and your neighbour's networks separate are in fact treating them as the same - as if there was a ethernet cable running directly between your two routers. The Chromecasts then, correctly, think they are on the same network and exhibit the behaviour you describe. This ISP misconfiguration might well be a security or privacy problem for other products on your network, so while the change we made issue 786109 might help with the Chromecast in this case, the real fix has to be made by your ISP. Showing this bug to your ISP's support team should be sufficient for them to help, though they may need you to take some more steps to provide them with logs. Good luck! |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by yassine....@gmail.com
, Nov 9 2017