Google Photos Bug allowing Attackers to Trace Location and Time of Your Pictures

Websites have been using the vulnerability of Google Photos web version to know about the locations of users.

Google photos search endpoint is used to find pictures stored using the aggregated metadata, like the geo-location and date, is affected by the flaw. Also, the artificial intelligence algorithm is used to identify the people who have already been tagged.

The advantage of this search feature is that human queries can be used to find the picture, like by typing in the name, location, and/or date.

A security researcher at Imperva, Ron Masas, said that same-origin policy (SOP), which is usually used in the browser, helps the attacker to know about the location of a user. The SOP is a web application security mechanism, that does not allow resources loaded from other origins to interact, they cannot read rather only cross-origin writing is possible.
"After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack [now-patched] called Cross-Site Search (XS-Search).", said Masas the security researcher from Israel.
According to Massa's research, cross-origin requests were created in Google Photos search endpoint through creating HTML link tags. Later the JavaScript was used to see how much time the onload event takes to trigger.

Now-Patched Google Photos Flaw Let Hackers Track Your Friends, Time and Location Data
Photo: SIPA USA/PA Images

He also noted the time difference between searching for non-existent photos and the photos that are actually on the user’s account. A visit to any country is determined, using the location tag, by the place from where pictures have been uploaded. Time of stay is also estimated by the malicious site by using the date in the query. The more tags used, the more information can be inferred.

This attack will be done only if users are lured to a malicious website while they are still logged into their Google account, as logging in from Google get access to all the Google services.

Then a request will be sent to Google Photos search endpoint using the JavaScript code, which would answer any query put in by the hacker. They can also resume their activity of extracting information from where they left. Means attackers have the liberty not to take out all the data just at once.

Masas also explained through a video that how search time is used by the third-party websites to know about the location where the pictures were taken.

Read Next: Top Security Vulnerabilities Hackers Use
Previous Post Next Post