Yup, any Chromecast is vulnerable to "takeover" whenever it gets disconnected from its configured WiFi AP.
Why? Because its setup mode is completely open and requires no challenge, just a response. It's like if you call a credit card company, put in a number that isn't yours, then the agent comes on the line and asks
"Are you Joe Smith?" [Yes]
"Is your password 'ChocolateMilkGivesMeGas'?" [Yes]
Because a simple reconfiguration does not seem to delete the existing WiFi supplicant data (Google could easily fix this by erasing the stored WiFi credentials once a device connects for setup), if the noted buffer overrun bug or another exploit could gain root, user's WiFi credentials are easily accessed.
Factory reset does delete the stored WiFi credentials, but nobody's going to factory-reset their Chromecast until it's already too late.
This particular issue is an issue for those running rooted Chromecasts, as all the attacker needs is a way in (which includes the Team Eureka Web Panel for those running Eureka-ROM, as the current web panel is not secured).
IMO, Google needs to make the setup more secure - ease of use should never data trump security.
Chromecast threads: FAQ - READ THIS FIRST!
/ Rootable Serial Numbers
| Root Mini-FAQ
| FlashCast flashing Mini-FAQ
BYO powered OTG cable
| WiFi Bandwidth and Router considerations
| Not all 1080p/720p is same
Search Tip: Google search terms site:forum.xda-developers.com
for only XDA forum results. Example
Follow the rules
/ Use 'Search
' before posting / Post in the correct sections
/ Do not spam the board / Press thanks, don't post 'Thanks'