Google Photos flaw allows hackers to track users

Security researchers have discovered a new flaw in Google’s photo-hosting service that could allow threats actors to track a user’s location history from images stored on their Google Photos account.

The vulnerability was discovered by an Imperva security researcher, Ron Masas, and was detailed in a blog post on Wednesday (March.20th).

Google has patched the flaw in the latest version of its web browser, Chrome 72, as well as for devices running on Android 7.0.

Google Photos vulnerability

Ron Masas first discovered the vulnerability in the web version of Google Photos, which allowed malicious websites to “expose where, when, and with whom your photos were taken.”

Google Photos’ has a search engine, that automatically tags each photo using metadata information such as geographic coordinates, dates, etc. It also uses AI to generate a text description of the pictures and automatically tags people in photos by using facial recognition.

All of this information can be used to make search queries to help users find certain photos – for example: “Photos of me and Tanya from Paris 2018”.

In the blog post, Masas said that this feature could be exploited by a malicious website using browser-based timing attacks.

For this attack to work, users would have to open a malicious website while logged into their Google Photos account.

A malicious link could be sent to a victim in a direct message via email or an online messaging service, or by embedding malicious Javascript inside a web ad.


Masas decided to investigate Google Photos for side-channel attacks when he learned about the extent of its search capabilities.

“After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack called Cross-Site Search (XS Search),” Masas explained.

“I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint.

“Using JavaScript, I then measured the amount of time it took for the on-load event to trigger. I used this information to calculate the baseline time — in this case, timing a search query that I know will return zero results,” he added.

He then performed another query “photos of from Iceland” and compared the result to the baseline. If this search took longer, he could infer the user had visited Iceland based on the data.

Google Photos search engine takes into account the photo metadata,’ Masas said.

‘So by adding a date to the search query, I could check if the photo was taken in a specific time range.

‘By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country,’ he noted.

Facebook Messenger

This isn’t the first time that Masas has discovered an attack of this kind.

In 2018, Masas discovered a side-channel attack on Facebook Messenger that allowed websites to gain access to users’ data, including information about who they have been chatting with.

“it is my opinion that browser-based side-channel attacks are still overlooked,” Masas said.

“While big players like Google and Facebook are catching up, most of the industry is still unaware.”

Related Posts