News, Culture & Society

Worrying flaw in Google Photos could let hackers track your LOCATION and see who you’ve tagged

Worrying flaw in Google Photos could let hackers track your LOCATION and see which friends you’ve tagged

  • Researcher discovered Google Photos site is vulnerable to side-channel attacks
  • Attackers send a malicious link, allowing them to take advantage of search tools
  • By analyzing search timing, attackers can learn where a photo is taken and more
  • Google has since patched the flaw in the latest version of its Chrome browser 

Security researchers have identified a flaw in Google’s photo-hosting service that would let hackers track your location history and who you tagged in photos. 

The vulnerability was discovered by Imperva, a cyber security software company, and detailed in a blog post. 

Google has since patched the flaw in the latest version of its web browser, Chrome 72, as well as for devices running Android 7.0 or higher. 

 

Security researchers have identified a flaw in Google’s photo-hosting service that would let hackers track your location history and who you tagged in photos. The flaw is now patched

WHAT IS THE GOOGLE PHOTOS SECURITY FLAW?

Imperva researcher Ron Masas discovered a side-channel attack in Google Photos that exposes where a picture is taken and the names of people tagged.  

He discovered the flaw exists in Google’s search function, where users can look for photos based on robust data collected in photo metadata, as well as Google’s AI technology. 

By timing his searches, he could distinguish when Photos had retrieved results for a specific search query.

In order for it to work, however, users would have to click on a malicious link, which would let attackers snoop on your Google Photos account. 

Mail Online has reached out to Google for comment on the now-patched vulnerability.

Imperva researcher Ron Masas first spotted the vulnerability in the web version of Google Photos, which let malicious sites ‘expose where, when, and with whom your photos were taken.’

Google Photos uses a photo’s metadata to provide robust information, such as geographic coordinates, date and more. 

It also uses Google’s artificial intelligence technology to identify objects in the photo, as well as automatically tag subjects that are in the photo. 

Users can use this information to make detailed search queries. 

For example, they can search ‘Photos of me from 2017’ and Google Photos will serve up pictures that match that description. 

However, Masas discovered this feature could be exploited by malicious sites using browser-based timing attacks. 

In order for it to work, users would have to click a link to a malicious website while they’re logged into Google Photos. 

A malicious link could be sent via a direct message in a chat app or email, as well as via malicious Javascript inside an advertisement. 

This means that the chance of users falling prey to the attack is pretty slim, but nevertheless, it was still possible. 

‘After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack called Cross-Site Search (XS Search),’ Masas explained.

In order for it to work, users would have to click a link to a malicious site while they're logged into Google Photos. A malicious link could be sent via a direct message in a chat app or email

In order for it to work, users would have to click a link to a malicious site while they’re logged into Google Photos. A malicious link could be sent via a direct message in a chat app or email

‘I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. 

‘Using JavaScript, I then measured the amount of time it took for the onload event to trigger,’ he added.

Masas would see how long it took the system to generate a search result for a query he knew would generate zero results. He referred to this timing as the baseline.

He then performed another search query and compared the timing to the baseline.

If it took longer than before, Masas knew that the search result had generated results.  

‘Google Photos search engine takes into account the photo metadata,’ Masas said. 

‘So by adding a date to the search query, I could check if the photo was taken in a specific time range. 

‘By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country,’ he noted.

It’s not the first time Masas has identified an attack of this kind. 

He previously identified a side-channel attack in Facebook Messenger that would let attackers see which contacts users have been messaging recently. 

‘It is my opinion that browser-based side-channel attacks are still overlooked,’ Masas explained. 

‘While big players like Google and Facebook are catching up, most of the industry is still unaware.’   

Read more at DailyMail.co.uk