Google Photos vulnerability could have let hackers retrieve image metadata

Browser side-channel leaks are emerging as the next big threat for per-target stalking ops.
Written by Catalin Cimpanu, Contributor

Google has patched a bug in its Photos service that could have allowed a malicious threat actor to infer geo-location details about images a user was storing in their Google Photos account.

The attack is what security researchers call a browser side-channel leak.

It works by luring users on a threat actor's website where malicious JavaScript code probes URLs for private sections of a user's online accounts and then measuring the size and time the target website takes to respond --even with a classic "access denied" response.

The attacker measures and compares these responses in order to determine if certain artifacts exist in a user's private account.

This is how Imperva security researcher Ron Masas discovered this Google Photos image metadata leak.

The researcher created a JS script that would probe the Google Photos search feature. Once a user landed on a malicious website, the script would use the user's browser as a proxy for sending requests and searching through a thei Google Photos account.

For example, Masas said he used a search query of "photos of me from Iceland" to determine if the user had ever visited Iceland.

Masas was able to do this by measuring the size of the HTTP response and time it took Google Photos to respond to these search queries, even if no actual private photos were ever returned.

He also used date intervals to refine the search query to ascertain when the target had most likely visited a particular place. Other data could have been inferred in the same way with the help of other search queries.

This type of attack is now blocked in Google Photos, but there are many other services that attackers can target and siphon small details about a victim's day-to-day life --such as Dropbox, iCloud, Gmail, Twitter, and more.

Facebook patched a similar browser side-channel attack last month, also after a report from Masas. Just like in today's Google Photos attack, Masas found a Facebook endpoint that he could query and infer details about private Facebook photos and the location at which they had been taken.

To be clear, browser side-channel attacks are very clever, but they require a lot of per-victim fine-tuning, making them useless for mass harvesting operations. Nonetheless, they are quite useful for attackers stalking a particular target.

How to protect your Google Account with the Advanced Protection Program

More vulnerability reports:

Editorial standards