silversurfer

Level 47
Content Creator
Trusted
Malware Hunter
Verified
Google has patched a bug in its Photos service that could have allowed a malicious threat actor to infer geo-location details about images a user was storing in their Google Photos account.

The attack is what security researchers call a browser side-channel leak.

It works by luring users on a threat actor's website where malicious JavaScript code probes URLs for private sections of a user's online accounts and then measuring the size and time the target website takes to respond --even with a classic "access denied" response.

The attacker measures and compares these responses in order to determine if certain artifacts exist in a user's private account.

This is how Imperva security researcher Ron Masas discovered this Google Photos image metadata leak.

The researcher created a JS script that would probe the Google Photos search feature. Once a user landed on a malicious website, the script would use the user's browser as a proxy for sending requests and searching through a thei Google Photos account.

For example, Masas said he used a search query of "photos of me from Iceland" to determine if the user had ever visited Iceland.

Masas was able to do this by measuring the size of the HTTP response and time it took Google Photos to respond to these search queries, even if no actual private photos were ever returned.

He also used date intervals to refine the search query to ascertain when the target had most likely visited a particular place. Other data could have been inferred in the same way with the help of other search queries.

This type of attack is now blocked in Google Photos, but there are many other services that attackers can target and siphon small details about a victim's day-to-day life --such as Dropbox, iCloud, Gmail, Twitter, and more.