A Google Photos web version vulnerability enabled websites to learn the history of a user’s location based on the images stored in the account.
The flaw affected the Google Photos search endpoint, which allows users to quickly find images based on aggregated metadata, such as geographic locations and date of creation, an algorithm of artificial intelligence that recognizes objects and faces of people after their tagging.
The main advantage of the search function of the service is that human queries can be used to discover pictures that are relevant to a name, place, date, things or combination. An example of a query would be “Zanzibar Sunset.”
Ron Masas, a security researcher at Imperva, found that a browser-based time attack, which takes advantage of how SEPs typically work in browsers, can help an attacker to determine a user position or travel history. SOP is the security mechanism for web applications that prevents the interaction of resources loaded from different sources.
However, cross-origin writing is allowed in a typical configuration but reading is not allowed.
“In my concept proof, I used the HTML connection tag to create multiple cross-border requests to the Google Photos search endpoint, and then measured how much time it was needed to activate the’ onload’ event by using JavaScript,” says Masasas in the research team.
The researcher determined how long it took for non – existent photos to be searched and compared them against waiting time to search for results. Masas could determine with location tags if images from certain places were stored in one user’s account indicating a visit to a country.
A malicious website could add a date to the query and set a time range when the user was present at some location. Naturally, testing several tag types would reveal additional pieces of information.
In order to attack, victims must be loaded into Google Photos to load a malicious web site. This is hardly an obstacle, because of the number of people using Gmail and because a Google Account signs you in all Google services. “With the JavaScript code, Google Photos search endpoint requests are silently generated, Boolean answers are extracted to whatever request the assailant wants,” Masas says.
The attacker does not need to extract all information simultaneously. You can track what you already have and resume where you left off, he added. In a video that shows the proof of concept attack, Masas shows how a third-party website can measure the time to search for countries in which a user took photos.
