Google Photos Flaw Exposes Users’ Location Data
Security research firm Imperva have revealed a now-patched flaw that would expose users’ location history on Google Photos.
In a blog post, Imperva exec Ron Masas — who recently exposed a similar flaw in Facebook Messenger — explains that Google Photos was vulnerable to browser-based timing attacks.
This flaw could expose a photo’s image data allowing hackers to estimate the time of a visit to a specific place.
“After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack called Cross-Site Search (XS-Search),” says Masas.
In order for users to be affected, they would have needed to open a malicious link while logged into their Google Photos account.
As this particular kind of hacking would have been a time-intensive and targeted attack, it is not considered a major risk.
However, as Masas says in his post, flaws like these are too-often overlooked by the industry.
“While big players like Google and Facebook are catching up,” he said, “most of the industry is still unaware.”
Google has now patched the flaw, but side-channel attacks like this are still a risk on other services such as Dropbox, iCloud, Twitter, and more.