Experts of an online ethical hacking training from the International Institute of Cyber Security reported the emergence of vulnerability in Google Photos with which a malicious actor could access the history of users’ locations.
According to the instructors of the online ethical hacking training, using an exploit and little social engineering techniques, a malicious web site could have exposed the locations where the images were taken in Google Photos of a user.
The investigator then timed the following query: “Photos of me from Iceland” and compared the result to the baseline, thus discovering that, if the search time was longer than the base line, it could be assumed the results of the query, inferring that the present visitor of a site was in Iceland.
In the online ethical hacking training it was mentioned that, when you add a date to the search query, you can check if the photo was taken within a specific time frame; by repeating this process with different time ranges, you can get an approximate result to the time a user visited a particular place, store or country.
Specialists in ethical hacking add that, for the attack to be functional, the victim must open a malicious web site while it is connected to their Google accounts, the malicious code will generate requests for the Google Photos search end point extract true or false answers for any query made by the attacker during the malicious activity.