Google Photos Vulnerability that Lets Retrieve Image Metadata
A vulnerability that was detected in the web version of Google Photos could be used by hackers to retrieve image metadata.
ZDNet reports, “Google has patched a bug in its Photos service that could have allowed a malicious threat actor to infer geo-location details about images a user was storing in their Google Photos account.”
The attack, which is of the type that is known among security researchers as “a browser side-channel leak”, was discovered by Imperva security researcher Ron Masas.
Google photos automatically tag photos based on metadata information- date, geographic coordinates etc. It also uses a state-of-the-art AI engine which could describe photos with text and detects objects and events (weddings, waterfalls, sunsets etc). Google Photos also uses facial recognition to tag photos. All this information could be used in search queries.
It’s by probing Google Photos’ search capabilities that Ron Masas discovered the vulnerability.
Masas writes, in an official Imperva blog post, “I’ve used Google Photos for a few years now, but only recently learned about its search capabilities, which prompted me to check for side-channel attacks. After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack called Cross-Site Search (XS-Search).”
Masas writes, “Next, I timed the following query “photos of me from Iceland” and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland.”
He adds, “As I mentioned above, the Google Photos search engine takes into account the photo metadata. So, by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.”
The Imperva report explains that this process can be incremental since the hacker would be able to keep track of what has already been asked and from there continue the next time the user visits one of his malicious websites.
The vulnerability was patched after Imperva reported it to Google.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.