Google Photos Bug Exposed the Location & Time of Your Pictures

Written by Ionut Ilascu / Courtesy of Bleeping Computer

A vulnerability in the web version of Google Photos allowed websites to learn a user’s location history based on the images they stored in the account.

The flaw affected the Google Photos search endpoint that allows users to quickly find pictures based on aggregated metadata, such as geo-location and date of creation, an artificial intelligence algorithm that can recognize objects and people’s faces after they’ve been tagged.

By far, the top benefit of the service’s search function is that you can use human queries to discover pictures relevant to a name, place, date, things, or a combination of them. An example of a query would be “sunset in Zanzibar.”

Same-origin policy restrictions insufficient

Ron Masas, a security researcher at Imperva, discovered that a browser-based timing attack that takes advantage of how the same-origin policy (SOP) typically functions in browsers could help an attacker determine a user’s location or travel history.

SOP is the web application security mechanism that prevents interaction between resources loaded from different origins. In a typical configuration, however, cross-origin writing is permitted but reading is not.

“In my proof of concept, I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the ‘onload’ event to trigger,” Masas explains in research shared with BleepingComputer.

The researcher timed how long it took to search for inexistent photos and compared it with the wait time to query for available results.

With location tags, Masas could infer if pictures from specific places were stored in a user’s account, which would indicate a visit to a country.

Adding a date in the query, a malicious website could establish a time range when the user was present in a certain location. Of course, trying out multiple types of tags would reveal extra bits of information.

For the attack to work, victims need to be lured to load a malicious website while they are logged into Google Photos. This is hardly an obstacle, considering how many people use Gmail and that a Google Account signs you into all Google services.

“Next, the JavaScript code will silently generate requests to the Google Photos search endpoint, extracting Boolean answers to any query the attacker wants,” Masas says.

The attacker does not have to extract all the information at once. They can keep track of what they already have and resume from where they left off, the researcher added.

In a video demonstrating the proof-of-concept attack, Masas shows how a third-party website can measure the search time to discover the countries a user took photos in: