Google Photos' bug exposed location histories: Here's how
Google's cloud-based Photos service was marred by a bug, a vulnerability that opened gates for attackers to approximate location of images stored in an account. The bug was revealed recently by Imperva's security researcher Ron Masas and has now been patched by the search giant. It was difficult to exploit but could have risked account security. Here are the details.
Browser-based channel attack to infer location
Under this attack, Masas explained, an attacker could've lured a user to a malicious website. From there, if the target was logged into Google Photos, they could have used a special JavaScript code to run different queries and approximate if the victim ever visited a specific place, shot photos there. For instance, one could have searched 'photos from Iceland' to infer an Iceland visit.
Notably, the method didn't give photos
Based on the time Google Photos took to respond, the attacker could have inferred if the user had visited a place. Also, they could have also used additional filters to refine the results, like using date intervals to see if the targeted had visited the place in question between 2011-2012. As such, the bug didn't compromise private photos but certainly threatened user privacy.
Facebook also had a similar flaw
Though Google has patched this bug, browser-based side-channel loopholes, which can give away minute details about the day-to-day life of people, appear to be increasing. Just recently, Masas revealed about similar Facebook bugs that allowed attackers to learn who you've been talking to or if you've taken photos at a particular location. Such vulnerabilities, he recently said, are still being overlooked.
Browser side-channel attacks require efforts, fine-tuning
As of now, Google has not revealed if the bug in question was exploited by anyone anytime. However,ZDNet reports that such attacks require a lot of effort and fine-tuning for every individual target. This means that it makes an ideal technique for stalking a particular person, but not a way of carrying out mass attacks.