Hackers can gather user location through Google Photos vulnerability

The researchers discovered a vulnerability on Google Photos app that has been fixed now. With this vulnerability, hackers can use Google Photos to track their location history. Ron Masas from Internet security company Imperva explained in a blog post that Google Photos has recently been vulnerable to browser-based timing attacks called Cross-Site Search (XS-Search), speculating access to a place or country through the use of image data.

In order for this attack to work, users must be directed to open malicious websites when logging in to Google Photos, and hackers must invest a certain amount of effort to attack, so this is not a ubiquitous risk. Researcher wrote,

“For this attack to work, we need to trick a user into opening a malicious website while logged into Google Photos. This can be done by sending a victim a direct message on a popular messaging service or email, or by embedding malicious Javascript inside a web ad. The JavaScript code will silently generate requests to the Google Photos search endpoint, extracting Boolean answers to any query the attacker wants.”