chrisdh79 OP t1_j249z9f wrote on December 29, 2022 at 3:39 PM

From the article: A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.

A researcher discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged.

While experimenting with his own Google Home mini speaker, the researcher discovered that new accounts added using the Google Home app could send commands to it remotely via the cloud API.

Using a Nmap scan, the researcher found the port for the local HTTP API of Google Home, so he set up a proxy to capture the encrypted HTTPS traffic, hoping to snatch the user authorization token.

ZaNobeyA t1_j26b8wo wrote on December 29, 2022 at 11:40 PM

few days ago. I've had the google hub reset and set up with a different google account. I still had control over it with the previous account from a phone. I wonder if this is correlated somehow.

One-Weather-740 t1_j26lego wrote on December 30, 2022 at 12:51 AM

"Yes mr. police officer, they stole my bitcoin through my speaker"

[deleted] t1_j24svn4 wrote on December 29, 2022 at 5:43 PM

[removed]