What is the issue - A security researcher from Imperva, Ron Masas uncovered that Google Photos is vulnerable to a browser-based timing attack called Cross Site Search.
Why it matters - This vulnerability could allow attackers to infer the metadata of the images stored in Google Photos. The metadata information includes photos’ geolocation details, date, time, and more.
To be precise, the vulnerability could allow attackers to know where, when, and with whom your photos were taken.
The big picture
Security researcher Ron Masas recently learned about Google Photos’ search capabilities and tested for browser-side channel attack.
“The Google Photos search engine takes into account the photo metadata. So by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country,” the researcher explained.
How does this work?
What’s the conclusion - The researcher notified Google about the Google Photos bug and Google has patched the vulnerability.