Researchers recently uncovered two unrelated vulnerabilities in Google products. Imperva found a way to perform a side-channel attack on Google Photos that lets bad actors glean key location, time, and identifying information from personal accounts. The other, found by Positive Technologies, is a more dangerous Android exploit. It, too, exposes user data, and Google ranked its severity as High.

Because Google’s products are so popular, vulnerabilities such as these have the potential to impacts hundreds of millions of users. Google Photos has over 500 million users as of May 2017. Android meanwhile powers over 2 billion devices, although the affected number is likely less as the security vulnerability in question was introduced in Android 4.4 KitKat.

Who, where, and when in Google Photos

The vulnerability found in the web version of Google Photos could expose users’ location over time, as well as who they were with when photos were taken. Imperva’s Ron Masas penned a blog post detailing the issue and how he found it.

Google Photos uses metadata from your images, along with Google-powered machine learning like facial recognition, to generate a treasure trove of information. For example, it can recognize your son’s face in a photo and automatically tag him in every image in which he appears, even as he grows and changes over the years, and regardless whether he’s smiling, frowning, or not directly facing the camera. Shots you take with your phone are tagged with precise geographical location information. If you upload additional photos taken with a DSLR that doesn’t geotag images automatically, the engine is still able to make an educated guess as to the location they were shot based on context.

ALSO READ   Federal prosecutors are investigating Facebook’s data deals with phonemakers

Much of that information is user-searchable within a Google Photos account, and Masas found a way to use a side-channel attack to exploit it. “After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack,” he wrote. “I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger.”

From that he was able to determine the time it took the service to perform a search query that returned zero results. When he performed a search that took any amount of time more than the baseline, he knew Google Photos was returning results of some kind. With a certain level of access, a bad actor can throw searches at your Google Photos account and use the timing to learn which terms return a result.

ALSO READ   Skincare Tips to Ensure Healthy Skin if You’re a Frequent Makeup User

Querying the names of many countries or cities could tell the attacker that you were in Spain or New York City, for instance. Including the date or a date range to a search establishes the “when,” and adding names can reveal who you were with, too. Masas said that for a hacker to acquire that level of exposure, they would need to get a user to open a malicious website or land on a page with malicious JavaScript in a web ad while logged in to Google Photos. Most likely, they would use a phishing scheme to bait the user.

WebView at fault

Positive Technologies said in a press release that the vulnerability (CVE-2019-5765) it found affects Android 4.4 and later, and the WebView component is to blame. On its developer site, Google explains that “WebView is useful when you need increased control over the UI and advanced configuration options that will allow you to embed web pages in a specially-designed environment for your app.” WebView is fundamental to Android’s Instant Apps, which is a feature that essentially lets you try out an app on your phone without having to download the whole thing.

ALSO READ   Apple and Google face Dutch antitrust inquiries over app favoritism

Because WebView is part of the Chromium engine, Positive Technologies said that any Chromium-based browser is vulnerable. Google Chrome is the most-used of the bunch, but the Samsung Internet Browser and Yandex Browser are affected as well.

Positive Technologies’ Leigh-Anne Galloway described how an attack could work. “The most obvious attack scenario involves little-known third-party applications. After an update containing a malicious payload, such applications could read information from WebView.” She said that attackers would then have access users’ browser history, authentication tokens, headers, and more.


The Google Photos vulnerability has already been patched. A simple Chrome browser update should abate any threat from the WebView issue for those using Android 7.0 or higher, because the bug was patched in Chrome 72 (released in January). Users running earlier versions of Android will have to update WebView via Google Play, though. Positive Technologies said that absent Google Play on a given device, users need to get a WebView update directly from the device manufacturer.




Please enter your comment!
Please enter your name here