A Google Photos web version vulnerability enabled websites to learn the history of a user’s location based on the images stored in the account.
The flaw affected the Google Photos search endpoint, which allows users to quickly find images based on aggregated metadata, such as geographic locations and date of creation, an algorithm of artificial intelligence that recognizes objects and faces of people after their tagging.
The main advantage of the search function of the service is that human queries can be used to discover pictures that are relevant to a name, place, date, things or combination. An example of a query would be “Zanzibar Sunset.”
Ron Masas, a security researcher at Imperva, found that a browser-based time attack, which takes advantage of how SEPs typically work in browsers, can help an attacker to determine a user position or travel history. SOP is the security mechanism for web applications that prevents the interaction of resources loaded from different sources.
However, cross-origin writing is allowed in a typical configuration but reading is not allowed.
The researcher determined how long it took for non – existent photos to be searched and compared them against waiting time to search for results. Masas could determine with location tags if images from certain places were stored in one user’s account indicating a visit to a country.
A malicious website could add a date to the query and set a time range when the user was present at some location. Naturally, testing several tag types would reveal additional pieces of information.
The attacker does not need to extract all information simultaneously. You can track what you already have and resume where you left off, he added. In a video that shows the proof of concept attack, Masas shows how a third-party website can measure the time to search for countries in which a user took photos.