Jump to content

Google Photos bug leaked location history


The AchieVer

Recommended Posts

The AchieVer

Google Photos bug leaked location history

 

Imperva Researchers recently patched a vulnerability in Google Photos that could allow threat actors to track a user’s location history.

 

By exploiting the flaw and using a little social engineering, malicious websites could have exposed when Google Photos were taken, according to the report

Imperva researcher Ron Masas used an HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint and Javascript to measure the amount of time it took for the onload event to trigger. He was then able to calculate the baseline time or a timing a search query that will return zero results.

 

The researcher then timed the following query “photos of me from Iceland” and compared the result to the baseline and found that if the search time took longer than the baseline, he could assume the query returned results and thus infer that the current user visited Iceland.

 

By adding a date to the search query, Masas could check if the photo was taken in a specific time range and by repeating this process with different time ranges, he could quickly approximate the time of the visit to a specific place or country.

 

For the attack to work, the target must open the malicious website while logged in and the malicious code will generate requests for the Google Photos search end point to extract boolean, true or false, answers to any query the attacker makes.

 

 

 

Source

Link to comment
Share on other sites


  • Views 221
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...