Flaw in Google Photos Exposed Users location Data

latest trends in cyber security

A security researcher discovered a vulnerability in Google Photos web version which allowed attackers to learn the location history of your photos.

Google photos allow users to find and tag photos based on the metadata information such as geographic coordinates, date of creation, etc. By using artificial intelligence algorithem it can detect objects and faces based on tagging.

Ron Masas, a security researcher at Imperva, discovered that through browser-based timing attacks a hacker could find out a user’s location or travel history.

The researcher used an HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. By using javascript measured the time it took the onload event to trigger and used it to calculate baseline time.

In this case, timing a search query will receive zero results. In the next step researcher queried “photos of me from Iceland” and compared result of both.

If the query took longer search time than the baseline, he could infer that user visited Iceland.

“As I mentioned above, the Google Photos search engine takes into account the photo metadata. So by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.”

For the attack to work, the attacker needs to trick victims in to visit a malicious website while they logged in to Google photos.

Then the javascript code will silently generate a request to the Google Photos search endpoint and extracts answers to any query the attacker wants.

Here the attacker does not have to extract all information at once. Instead, they can keep track of everything and resume when the victim revisits the malicious website.

Researcher notified Google about the vulnerability and has been patched now. The researcher has also shared a video demonstration of the proof of concept of the attack which can be seen below:

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild



Please rate this content