The now-patched flaw is another example of browser-based side-channel attacks.
Researchers have revealed a now-patched flaw that would allow hackers to track your location history using Google Photos. Ron Masas, from security company Imperva, explains in a blog post that Google Photos — which was recently subject to an Android TV bug — was vulnerable to browser-based timing attacks, which could leverage a photo’s image data to approximate the time of a visit to a specific place or country.
For this attack to work, though, a user would have to be tricked into opening a malicious website while logged into Google Photos, and the hacker would have to dedicate a certain amount of effort to the attack, so it was never a prevalent risk. However, as Mases — who recently uncovered a similar vulnerability with Facebook Messenger — notes, browser-based side-channel attacks are still regularly overlooked. “While big players like Google and Facebook are catching up,” he said, “most of the industry is still unaware.”