Generally speaking, Google’s services are fairly secure. Today, though, a vulnerability from Google Photos has been revealed which potentially exposed location history, before it was patched.
Security company Imperva revealed today a Google Photos security vulnerability which could have left users’ location history available to attackers. At the time the flaw was published, Google had already patched the issue.
The attack itself was browser-based, requiring users to be tricked into visiting a malicious website while also being logged into Photos on the web. Due to the effort needed from the attacker, though, this flaw was likely never used on a large-scale.
Still, we’re glad to see that Google has patched things. After all, this security vulnerability could reveal the location history of a user. As Imperva explains:
In my proof of concept, I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger. I used this information to calculate the baseline time — in this case, timing a search query that I know will return zero results.
Next, I timed the following query “photos of me from Iceland” and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland… by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.
More on Google Photos:
- Google Photos officially rolls out ‘Express backup’ & Data Caps, coming to more countries
- Android TV bug may have allowed access to other users’ private Google Photos
- Privacy lawsuit over facial recognition in Google Photos dismissed by federal judge
FTC: We use income earning auto affiliate links. More.
Comments