A vulnerability discovered by a security expert allowed malicious people to access certain user data from Google Photos .
Location linked to a display time
An imperva security expert managed to use the Google Photos search engine to find the location of a user, but also people in the photos. This information is hidden in the metadata of an image file. To find the flaw, he used the search engine of the web version of Google Photos to find images by location or date of shooting. Google Photos offers a quick and relevant search as the platform will search for information in photo metadata. Ron Masas, the security expert, explained that he had " used the HTML link tag to run multiple queries in the Google Photos search engine, and measured the time that
He then set the time needed to display "zero image", ie searches that lead to no results. He was then able, by raising identical queries and by exploiting the flaw, to determine, according to the response time, the location of a user on an image.
A fault corrected in January
The process of accessing Google Photos location data is quite complex and it's possible to see the details on an Imperva blog post .Google corrected the problem in January, before Impererva released his article. However, you must update the Chrome browser to take advantage of this patch.