Generally speaking, Google’s services are fairly secure. Today, though, a vulnerability from Google Photos has been revealed which potentially exposed location history, before it was patched.

Security company Imperva revealed today a Google Photos security vulnerability which could have left users’ location history available to attackers. At the time the flaw was published, Google had already patched the issue.

The attack itself was browser-based, requiring users to be tricked into visiting a malicious website while also being logged into Photos on the web. Due to the effort needed from the attacker, though, this flaw was likely never used on a large-scale.

Still, we’re glad to see that Google has patched things. After all, this security vulnerability could reveal the location history of a user. As Imperva explains:

In my proof of concept, I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger. I used this information to calculate the baseline time — in this case, timing a search query that I know will return zero results.

Next, I timed the following query “photos of me from Iceland” and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland… by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.

More on Google Photos:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Schoon

Ben is a writer and video producer for 9to5Google.

Find him on Twitter @NexusBen. Send tips to or encrypted to