Google Photos Vulnerability that Lets Retrieve Image Metadata

Google Photos Vulnerability that Lets Retrieve Image Metadata 1

A vulnerability that was detected in the web version of Google Photos could be used by hackers to retrieve image metadata.

ZDNet reports, “Google has patched a bug in its Photos service that could have allowed a malicious threat actor to infer geo-location details about images a user was storing in their Google Photos account.”

The attack, which is of the type that is known among security researchers as “a browser side-channel leak”, was discovered by Imperva security researcher Ron Masas.

Google photos automatically tag photos based on metadata information- date, geographic coordinates etc. It also uses a state-of-the-art AI engine which could describe photos with text and detects objects and events (weddings, waterfalls, sunsets etc). Google Photos also uses facial recognition to tag photos. All this information could be used in search queries.

It’s by probing Google Photos’ search capabilities that Ron Masas discovered the vulnerability.

Masas writes, in an official Imperva blog post, “I’ve used Google Photos for a few years now, but only recently learned about its search capabilities, which prompted me to check for side-channel attacks. After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack called Cross-Site Search (XS-Search).”

The ZDNet report explains how the attack works- “It works by luring users on a threat actor’s website where malicious JavaScript code probes URLs for private sections of a user’s online accounts and then measuring the size and time the target website takes to respond even with a classic “access denied” response…The attacker measures and compares these responses in order to determine if certain artifacts exist in a user’s private account.”

Ron Masas used an HTML tag link to create multiple cross-origin requests to the Google Photos search endpoint. He then measured the time it took for the onload event to trigger, using JavaScript. This information was then used to calculate the baseline time. He then tried it with the query “photos of me from Iceland”.

Masas writes, “Next, I timed the following query “photos of me from Iceland” and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland.”

He adds, “As I mentioned above, the Google Photos search engine takes into account the photo metadata. So, by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.”

Thus, an attacker, by making the user open a malicious website at the time when he logs into Google Photos, can use the malicious website and a JavaScript code to generate requests to the Google Photos search endpoint and extract Boolean answers to those queries.

The Imperva report explains that this process can be incremental since the hacker would be able to keep track of what has already been asked and from there continue the next time the user visits one of his malicious websites.

The vulnerability was patched after Imperva reported it to Google.

Also, Read:

New Google Chrome Zero-Day Vulnerability Detected

Vulnerability Helps Researchers Expose Malware C&C Servers

Attackers Gain Root Access on Linux Systems via Dirty Sock Vulnerability

Facebook’s CSRF Vulnerability Allows Attackers To Hijack Accounts



Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password