Due to a browser-based timing attack known as a Cross Site Search, attackers could have the ability to pull the metadata from Google Photos. This would provide information such as where, when, and who you to take a photo with. Researchers conducted tests which lead them to the discovery of this vulnerability. They started by using an HTML link to form various cross-origin requests and then applied them to the search feature for Google Photos. JavaScript was then used to determine what it took to set off the onload event. With this information, a baseline time was then able to be calculated. From there, a simple search of “Photos of me from Iceland” was put in to which the query time and the calculated baseline time were then compared. Once this was completed, the researcher determined the person used as an example had visited Iceland. The researcher responsible commented further on the instance stating, “The Google Photos search engine takes into account the photo metadata. So, by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.” For attackers to use this method they would send messages to a specific target or place JavaScript within an ad that would take the user to a malicious site while they are logged in with Google Photos. If the user is redirected to the site, the JavaScript code would be able to pull the information from the attacker’s queries through the generation of the requests directed to the Google Photos search endpoint. Since the discovery, Google has been notified and a patch was implemented.
Analyst Notes
Since Google has patched this issue it is no longer a threat at this time. However, if an attacker was able to exploit this vulnerability, they could use the information they found such as the name of someone in the photo and find their email address which then could lead to phishing attempts from the attacker. These phishing attempts could be more personalized because of the information included in the metadata such as location and time.
