Google Photos could leak location history of its users

Experts of an online ethical hacking training from the International Institute of Cyber Security reported the emergence of vulnerability in Google Photos with which a malicious actor could access the history of users’ locations. 

According to the instructors of the online ethical hacking training, using an exploit and little social engineering techniques, a malicious web site could have exposed the locations where the images were taken in Google Photos of a user.

One of the investigators used an HTML binding tag to create multiple cross source requests to the Google Photos and Javascript search end point to measure the amount of time the event took to activate. Later he was able to calculate the reference time of a search query that would throw zero results.

The investigator then timed the following query: “Photos of me from Iceland” and compared the result to the baseline, thus discovering that, if the search time was longer than the base line, it could be assumed the results of the query, inferring that the present visitor of a site was in Iceland.

In the online ethical hacking training it was mentioned that, when you add a date to the search query, you can check if the photo was taken within a specific time frame; by repeating this process with different time ranges, you can get an approximate result to the time a user visited a particular place, store or country.

Specialists in ethical hacking add that, for the attack to be functional, the victim must open a malicious web site while it is connected to their Google accounts, the malicious code will generate requests for the Google Photos search end point extract true or false answers for any query made by the attacker during the malicious activity.