Google Photos vulnerability exposes geo-location details of users’ images

• This vulnerability could allow attackers to infer the metadata of the images stored in Google Photos.
• To be precise, the vulnerability could allow attackers to know where, when, and with whom your photos were taken.

What is the issue - A security researcher from Imperva, Ron Masas uncovered that Google Photos is vulnerable to a browser-based timing attack called Cross Site Search.

Why it matters - This vulnerability could allow attackers to infer the metadata of the images stored in Google Photos. The metadata information includes photos’ geolocation details, date, time, and more.

To be precise, the vulnerability could allow attackers to know where, when, and with whom your photos were taken.

The big picture

Security researcher Ron Masas recently learned about Google Photos’ search capabilities and tested for browser-side channel attack.

• Masas used the HTML link tag to create multiple cross-origin requests to the Google Photos search feature.
• He then used JavaScript to measure the amount it took for the ‘onload’ event to trigger.
• Using the information, Masas calculated the baseline time.
• The security researcher then used a search query of ‘photos of me from Iceland’, measured the search time for the query and then compared it with the calculated baseline time.
• By this way, the researcher was able to infer that the user visited Iceland.

“The Google Photos search engine takes into account the photo metadata. So by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country,” the researcher explained.

How does this work?

• For this attack to work, attackers could send messages to the targets or could insert JavaScript inside a web ad, thereby tricking victims into redirecting to a malicious website while logged into Google Photos.
• The JavaScript code in the malicious website will extract answers to attacker’s queries by generating requests to the Google Photos search endpoint.

What’s the conclusion - The researcher notified Google about the Google Photos bug and Google has patched the vulnerability.