Google Chromecast KeyChain Information Disclosure Vulnerability

Rocco Calvi

December 1, 2023

CVE: CVE-2023-48417
CVSS: 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Vendors: Google
Affected Products: Chromecast

Vulnerability Details

This vulnerability allows local attackers to disclose sensitive information on affected installations of Google Chromecast. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the KeyChain component. The issue is exploitable by any installed application with Intent-sending capabilities. An attacker can leverage this vulnerability to disclose stored credentials and sensitive information.

Discovered and demonstrated at the HardPwn USA 2023 hardware hacking competition, held alongside the hardwear.io conference.

Additional Details

Chromecast Security Bulletin — December 2023

Disclosure Timeline

2023-07-01 — Vulnerability demonstrated at HardPwn USA 2023 (hardwear.io)
2023-12-01 — Coordinated public release of advisory