Google Photos flaw could've let hackers stalk your adventures

The bug wasn’t as bad as this image sugests, but hey, creative thinking

HACKERS COULD HAVE TRACKED your location based on a flaw in Google Photos, which would have allowed them to see where, when, and with whom your photos were taken.

The bug was spotted by security researcher Ron Masas from Imperva, who noted that if hackers could trick folks into opening a malicious website while also logged into Google Photos, they could be hacked via a browser-based timing attack called Cross-Site Search (XS-Search).

“In my proof of concept, I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger. I used this information to calculate the baseline time — in this case, timing a search query that I know will return zero results,” said Masas.

“Next, I timed the following query ‘photos of me from Iceland’ and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland.

“As I mentioned above, the Google Photos search engine takes into account the photo metadata. So by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.”

It all sounds like a great deal of fiddly work for the hacker just to figure out a persons location; go onto any non-private Instagram account and it’s pretty easy to see where people have been and when.

Nevertheless, the flaw was a privacy sapping one that shouldn’t have been there. But Google has patched it already so you don’t have to panic and skip over to Apple Photos just yet.

The flaw is indicative of how the potential for XS Search attacks and vulnerabilities that facilitate them don’t get enough attention.

Masas noted that a browser-based side-channel attack was also found in the web version of Facebook Messenger and could have allowed communication mapping between Facebook accounts. µ

Further reading

Source link


Please enter your comment!
Please enter your name here