Google Photos vulnerability could have let hackers retrieve image metadata

Google has patched a bug in its Photos service that could have allowed a malicious threat actor to infer geo-location details about images a user was storing in their Google Photos account.

The attack is what security researchers call a browser side-channel leak.

It works by luring users on a threat actor's website where malicious JavaScript code probes URLs for private sections of a user's online accounts and then measuring the size and time the target website takes to respond --even with a classic "access denied" response.

The attacker measures and compares these responses in order to determine if certain artifacts exist in a user's private account.

This is how Imperva security researcher Ron Masas discovered this Google Photos image metadata leak.

The researcher created a JS script that would probe the Google Photos search feature. Once a user landed on a malicious website, the script would use the user's browser as a proxy for sending requests and searching through a thei Google Photos account.

For example, Masas said he used a search query of "photos of me from Iceland" to determine if the user had ever visited Iceland.

Masas was able to do this by measuring the size of the HTTP response and time it took Google Photos to respond to these search queries, even if no actual private photos were ever returned.

He also used date intervals to refine the search query to ascertain when the target had most likely visited a particular place. Other data could have been inferred in the same way with the help of other search queries.

This type of attack is now blocked in Google Photos, but there are many other services that attackers can target and siphon small details about a victim's day-to-day life --such as Dropbox, iCloud, Gmail, Twitter, and more.

Facebook patched a similar browser side-channel attack last month, also after a report from Masas. Just like in today's Google Photos attack, Masas found a Facebook endpoint that he could query and infer details about private Facebook photos and the location at which they had been taken.

To be clear, browser side-channel attacks are very clever, but they require a lot of per-victim fine-tuning, making them useless for mass harvesting operations. Nonetheless, they are quite useful for attackers stalking a particular target.

How to protect your Google Account with the Advanced Protection Program

More vulnerability reports:

• Severe security bug found in popular PHP library for creating PDF files
• Microsoft March Patch Tuesday comes with fixes for two Windows zero-days
  
• New BitLocker attack puts laptops storing sensitive data at risk
• Microsoft to fix 'novel bug class' discovered by Google engineer
• Fujitsu wireless keyboard model vulnerable to keystroke injection attacks
• Proof-of-concept code published for Windows 7 zero-day
• DJI fixes vulnerability that let potential hackers spy on drones CNET
• Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic