Security Researcher Reveals How Google Photos Had Left User Location History Vulnerable
Google is one of the biggest names in services, and while Apple fancies itself as a service company at times, Google is streets ahead. That doesn’t mean that it gets everything right, though, and security company Imperva has released details of a Google Photos vulnerability that could have allowed users’ location data to become available to others.
Thankfully, the issue is now fixed, but for a time it was definitely there, according to the report. The attack required the use of a browser, with users tricked into visiting a website while they were also logged into Google Photos. It wasn’t a low effort affair, however, so it’s also unlikely that this was ever used.
Next, I timed the following query “photos of me from Iceland” and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland… by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.
While it is obviously good news that this is no longer an issue, it’s once again a reminder that when everything is online, being 100% safe and secure is something that isn’t easy to achieve.
Function used for the aforementioned proof of concept