A now corrected Google Photos security flaw, once let nefarious characters grab users’ location data, researchers point out…
Researchers at security firm Imperva have uncovered a now-patched bug which previously allowed hackers to track Google Photos users’ location history.
Google Photos Security Flaw Allowed Attackers to Obtain Users’ Location Data
Google Photos — which was recently victimized by an Android TV bug — was in-fact susceptible to browser-based timing attacks. Such invasions could help to leverage any photo’s image data, which includes an approximate time and location.
“A now-patched vulnerability in the web version of Google Photos allowed malicious websites to expose where, when, and with whom your photos were taken.” — Ron Masas
It wasn’t a totally sophisticated risk, however. For this kind of attack to actually work, a hacker would have to trick a user into visiting a malicious website. (That user must also be logged into Google Photos and the assailant would have to invest a substantial amount of time.)
Although, this is part of a bigger issue. Similar sites, such as Facebook, Messenger, and others, are still at-risk for browser-based, side-channel attacks. The good news is, the largest players, like Google and Facebook are dedicating more resources to this particular problem.