- This vulnerability could allow attackers to infer the metadata of the images stored in Google Photos.
- To be precise, the vulnerability could allow attackers to know where, when, and with whom your photos were taken.
What is the issue - A security researcher from Imperva, Ron Masas uncovered that Google Photos is vulnerable to a browser-based timing attack called Cross Site Search.
Why it matters - This vulnerability could allow attackers to infer the metadata of the images stored in Google Photos. The metadata information includes photos’ geolocation details, date, time, and more.
To be precise, the vulnerability could allow attackers to know where, when, and with whom your photos were taken.
The big picture
Security researcher Ron Masas recently learned about Google Photos’ search capabilities and tested for browser-side channel attack.
- Masas used the HTML link tag to create multiple cross-origin requests to the Google Photos search feature.
- Using the information, Masas calculated the baseline time.
- The security researcher then used a search query of ‘photos of me from Iceland’, measured the search time for the query and then compared it with the calculated baseline time.
- By this way, the researcher was able to infer that the user visited Iceland.
“The Google Photos search engine takes into account the photo metadata. So by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country,” the researcher explained.
How does this work?
What’s the conclusion - The researcher notified Google about the Google Photos bug and Google has patched the vulnerability.