Google Photos vulnerability could have let hackers retrieve image metadata

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Google has patched a bug in its Photos service that could have allowed a malicious threat actor to infer geo-location details about images a user was storing in their Google Photos account.

The attack is what security researchers call a browser side-channel leak.

It works by luring users on a threat actor's website where malicious JavaScript code probes URLs for private sections of a user's online accounts and then measuring the size and time the target website takes to respond --even with a classic "access denied" response.

The attacker measures and compares these responses in order to determine if certain artifacts exist in a user's private account.

This is how Imperva security researcher Ron Masas discovered this Google Photos image metadata leak.

The researcher created a JS script that would probe the Google Photos search feature. Once a user landed on a malicious website, the script would use the user's browser as a proxy for sending requests and searching through a thei Google Photos account.

For example, Masas said he used a search query of "photos of me from Iceland" to determine if the user had ever visited Iceland.

Masas was able to do this by measuring the size of the HTTP response and time it took Google Photos to respond to these search queries, even if no actual private photos were ever returned.

He also used date intervals to refine the search query to ascertain when the target had most likely visited a particular place. Other data could have been inferred in the same way with the help of other search queries.

This type of attack is now blocked in Google Photos, but there are many other services that attackers can target and siphon small details about a victim's day-to-day life --such as Dropbox, iCloud, Gmail, Twitter, and more.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top