(MENAFN- NewsBytes)
Google Photos' bug exposed location histories: Here's how
22 Mar 2019
Google's cloud-based Photos service was marred by a bug, a vulnerability that opened gates for attackers to approximate location of images stored in an account.
The bug was revealed recently by Imperva's security researcher Ron Masas and has now been patched by the search giant.
It was difficult to exploit but could have risked account security.
Here are the details.
Browser-based channel attack to infer location
Attack
Under this attack, Masas explained, an attacker could've lured a user to a malicious website.
From there, if the target was logged into Google Photos, they could have used a special JavaScript code to run different queries and approximate if the victim ever visited a specific place, shot photos there.
For instance, one could have searched 'photos from Iceland' to infer an Iceland visit.
Notably, the method didn't give photos
Details
Based on the time Google Photos took to respond, the attacker could have inferred if the user had visited a place.
Also, they could have also used additional filters to refine the results, like using date intervals to see if the targeted had visited the place in question between 2011-2012.
As such, the bug didn't compromise private photos but certainly threatened user privacy.
Facebook also had a similar flaw
Previous issue
Though Google has patched this bug, browser-based side-channel loopholes, which can give away minute details about the day-to-day life of people, appear to be increasing.
Just recently, Masas revealed about similar Facebook bugs that allowed attackers to learn who you've been talking to or if you've taken photos at a particular location.
Such vulnerabilities, he recently said, are still being overlooked.
Browser side-channel attacks require efforts, fine-tuning
Possibility
As of now, Google has not revealed if the bug in question was exploited by anyone anytime.
However,ZDNet reports that such attacks require a lot of effort and fine-tuning for every individual target.
This means that it makes an ideal technique for stalking a particular person, but not a way of carrying out mass attacks.
MENAFN2103201901650000ID1098287554
Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.