March 21, 2019 at
A vulnerability, now patched, allowed websites with malicious code to track and expose where, when and with whom your photos were taken. That’s some scary stuff considering how many photos we take. Anyone with access to your photos can build up an easy profile of both you and your friends.
Google noticed that people were taking a lot more photos than ever before, particularly with their smartphones. Which is why they focused on improving their Photos app in the traditional Google way… Search (and AI)!
Instead of putting the onus on the user to categorize and save pictures, Google made it easy to search for anything you wanted. Where you took a photo, people you took a photo with and even context-sensitive topics such as weddings, the beach, and historical monuments were all inferred from advanced AI techniques that scanned your photos picked up clues as to what you were doing.
That, along with geotagged metadata and a wealth of other information cameras record every time you take a snap, Google made it easy for you to find any photo you could remember taking (and even some that you might have forgotten about). So by searching “Photos of me and Jake from carnival 2017” you could get every photo you took at that time, in that place, with that person.
So what was the problem?
Most people have been using Google Photos for years, and a lot of them never really knew about the strength of the search capabilities. It is one of those features that Google just implements without much fanfare.
Some interested cybersecurity analysts to check for side-channel attacks. It didn’t take them long to find out that the Google Photos search endpoint is actually vulnerable to something called XS-Search, which is a browser-based timing attack.
How does it work?
The following video demonstrates how someone could have gained access to your location history before the vulnerability was closed. However, even when it was live, you needed to be on a website with malicious code and logged into Google Photos on the same PC at the same time.
The first line in the video represents the empty page timing results baseline. Anytime the results is non-baseline, it means the viewer visited a specific country.
What to do?
It’s a measure of how quick Google is, that they were able to fix this vulnerability so quickly, but there is still a large number of websites that are particularly vulnerable to side-channel attacks. While big fish like Facebook, Microsoft and of course Google are quickly catching up – many smaller players in the market aren’t.
Which means that you need to be aware of the problem so that you do not have a bad experience. There are many people out there who are joining the effort to document these side-channel vulnerabilities, including vulnerable DOM APIs.
If you are interested, you can find more information on the xsleaks repository.