The exploit was discovered by Tripwire within the Google Home app. The app is used to configure both Home and Chromecast devices. For the most part, the app communicates with Google's cloud to complete actions. However, there are some actions that the Home app does on a local network with an unsecured HTTP server.
Read this: The best Google Assistant devices
So when you change your Chromecast or Home's device name, or even connect them to Wi-Fi, the Home app is using an unencrypted method that can easily be hijacked. In fact, Tripwire's Craig Young did exactly that. He was able to hijack the connection screen in the Home app and used it to extract location data from his devices that identified his home within 10 meters.
How is this possible? It takes advantage of HTML 5's location API, which analyzes signal strengths in surrounding Wi-Fi spots to triangulate a device's position. In fact, it only took Young a minute to pull the data and locate his own home.
Young warns that this exploit could be used in phishing scams for eventual blackmail or extortion threats. Common phone scams, like pretending to be the IRS or FBI, could use this information to add a sense of credibility to their threats. While the method Young used was DNS rebinding, which essentially hijacks a browser, he warns it could also be exploited by browser extensions and mobile apps in the background.
He also warns that this exploit isn't just limited to Google's devices. Throughout his years auditing smart devices, he's seen this issue crop up several times before in other devices, like smart TVs. Google's solution will likely add a layer of security to the HTTP server while also asking for some sort of authentication before being able to change the device name or connect to Wi-Fi.