Google Photos offers numerous beneficial features to users for managing photos. One such feature includes auto-tagging of photos using image metadata. The app utilizes geo-coordinates, date and time of the picture, and facial recognition for this feature. While this sounds a convenient feature, it also poses a serious security threat to a users’ privacy. A researcher has recently discovered a Google Photos vulnerability that could expose such image details to potential hackers.
Serious Google Photos Vulnerability Found
Reportedly, a researcher from Imperva found a serious security flaw in Google Photos that could compromise users’ privacy. Exploiting the flaw could let an attacker retrieve picture metadata.
The researcher, Ron Masas, found this vulnerability out of his curiosity to check for side-channel attacks as he came to know of the app’s search features. After some attempts, he discovered a problem. He has shared the details of his findings regarding Google Photos vulnerability in a blog post. As stated in it,
“After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack called Cross-Site Search (XS-Search).”
In summary, he found that an attacker could extract a victim’s image metadata to gain a better insight of a person. All an attacker should do was to lure the target logged-in to Google Photos to open a website running the attacker’s JS code.
The code would then extract Boolean answers to attacker’s queries by generating silent requests to Google Photos vulnerable endpoint.
Masas has demonstrated the attack in the following video.
Google Patched The Flaw
Masas confirmed that Google has now patched the flaw. It means the users of Google Photos are safe for now from this vulnerability.
However, he expressed his concern regarding the general ignorance of industry towards browser-based side-channel attacks.
“While big players like Facebook are catching up, most of the industry is still unaware.”
Earlier this month, another security problem targeted Google Photos app. However, the flaw didn’t exist in the app. Rather, a vulnerability in Android TV devices resulted in the exposure of private photos of users to others.