Key Takeaways Smart TVs can leak email inboxes - remotely log out.

Third-party browsers can be used to install Chrome, which can access Google accounts on Android TVs.

Use throwaway Google accounts for public setting TVs.

If you've ever been in a hotel with a smart TV, there's a decent chance you logged into your Google account on it to consume Netflix or other content. After all, those devices are locked down... right? Well, as it turns out, those devices can actually leak the inboxes of people who have logged into them, and you should immediately remotely log out of your Google account if you've logged into one before.

In a report from 404 Media, the news group outlined how with just a few minutes of unsupervised access to an Android TV, an attacker could gain access to the inbox of the email address that was logged in on the TV.

“My office is mid-way through a review of the privacy practices of streaming TV technology providers. As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set top box, a criminal could get access to private emails of the Gmail user who set up the TV,” Senator Ron Wyden reportedly told 404 Media in a statement.

How an attacker can go through your emails on an Android TV

It's surprisingly simple

Personally, I don't ever log into Android TVs in hotels for privacy and security reasons, but I can understand why someone would feel as if they were able to do so and keep their data safe. After all, on the surface, an Android TV can only consume content. The average consumer would be forgiven for assuming there's nothing else a would-be attacker could do.

However, as YouTuber Cameron Gray demonstrated, a third-party browser can be installed on an Android TV where it can install Google Chrome, which can use the currently-logged-in Google address to access emails and other associated account data. It's not so much that it's an unintended behavior, but rather it's something that end users may not necessarily be aware of.

As Gray demonstrates in his YouTube video, he downloads a browser called TV Bro. From there, he navigates to another APK website, installs Google Chrome, and then logs in with the already-logged-in Google account. From there, he can navigate with a mouse and keyboard to traverse the web, including viewing the details of that currently logged-in account.

Where this also causes problems is a TV that has been set up under a hotel or even an Airbnb host's email. An attacker could easily access sensitive information that they weren't supposed to, and this could apply to a TV used anywhere. Any TV in a public setting where members of the public can interact with it is susceptible, and the best way to approach it is to use throwaway Google accounts to set up those TVs in the first place.

404 Media was told the following in a statement. “We are constantly working to improve our protections to help keep Google TV and Android TV OS users safe. We are aware of this potential scenario where bad actors who have obtained physical access to a TV device can manually override the default settings to sideload Google apps normally restricted on a TV and access Google services on the signed-in account.”

The spokesperson for Google went on to add that “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices. As a best security practice, we always advise users to update their devices to the latest software.”

What to do if you've logged into a hotel TV before

You can log out remotely

If you've logged into a TV before and are worried about it, you can log out your Google account remotely. Follow these steps:

Open Gmail. In the top right, click your photo. Click Manage your Google Account. Click Security. Under "Your devices," click Manage all devices. Choose a device. Click Sign out.

Once you've logged out, your account is considered safe.