Published advisory · CVE-2023-48417

Google Chromecast KeyChain Information Disclosure Vulnerability

Published Rocco Calvi
CVSS severity 5.5/ 10.0 · Medium AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vulnerability analysis

This vulnerability allows local attackers to disclose sensitive information on affected installations of Google Chromecast. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the KeyChain component. The issue is exploitable by any installed application with Intent-sending capabilities. An attacker can leverage this vulnerability to disclose stored credentials and sensitive information.

Discovered and demonstrated at the HardPwn USA 2023 hardware hacking competition, held alongside the hardwear.io conference.

Disclosure timeline

  1. Vulnerability demonstrated at HardPwn USA 2023 (hardwear.io)
  2. Coordinated public release of advisory

References