Google Photos Flaw Allowed Hackers to Track Users

Google recently patched a vulnerability in its Photos service that could have been exploited via browser-based timing attacks to track users, Imperva revealed on Wednesday.

Google Photos allows users to store, manage and share their photos. The service includes a search engine, it automatically tags each photo using metadata (e.g. date, geographical location), it uses AI to generate a text description of the pictures, and automatically tags people based on facial recognition.

Imperva researcher Ron Masas conducted some tests last year to determine if Google Photos was susceptible to side-channel attacks and discovered that the service’s search endpoint was vulnerable to browser-based timing attacks that could have been used to determine where, when and with whom a targeted individual’s photos were taken.

The attacker could have obtained information on the target’s photos by measuring the time it took the server to provide a response to queries. First, they would have to calculate a baseline by measuring how long it took the server to respond if there were zero results for a query. If the response time was longer than this baseline, a result likely existed.

For instance, the attacker could have sent a query like “photos of me in Paris” and if the search time was longer than the baseline time it could be assumed that the victim had visited Paris. If the search time was the same as the baseline time, that would indicate zero results, which meant that the victim had not visited Paris. The search engine takes into account photo metadata as well so the query could have also contained dates that could help the attacker determine when the victim visited a specified country or place.

“In my proof of concept, I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger. I used this information to calculate the baseline time — in this case, timing a search query that I know will return zero results,” Masas explained in a blog post.

In order to exploit this flaw, an attacker would have needed to convince a user logged into Google Photos to access a malicious website containing specially crafted JavaScript code that would continuously send silent requests to the Photos search endpoint.

The Imperva researcher noted that the attack relied on an incremental process, which would have allowed the attacker to keep track of results obtained until that point and continue from there the next time the victim would visit their malicious website. The expert has published a video showing the exploit in action.

Masas told SecurityWeek that the vulnerability was reported to Google in late November and a server-side fix was rolled out roughly 3 months later. Google awarded the researcher a $1,337 bounty for his findings after assigning the flaw a priority rating of P3. The internet giant describes a P3 bug as “an issue that should be addressed when able. Such an issue is relevant to core organizational functions or the work of other teams, but does not impede progress or else has a reasonable workaround.”

Masas told SecurityWeek that Google patched the flaw by ensuring that the server response time does not depend on a Photos search query.

Related: Google Paid Out $3.4 Million for Vulnerabilities Reported in 2018

Related: Google Patches Actively Exploited Chrome Vulnerability