Researchers recently uncovered two unrelated vulnerabilities in Google products. Imperva found a way to perform a side-channel attack on Google Photos that lets bad actors glean key location, time, and identifying information from personal accounts. The other, found by Positive Technologies, is a more dangerous Android exploit. It also exposes user data, and Google ranked its severity as “High.”

Because Google’s products are so popular, vulnerabilities such as these have the potential to impact hundreds of millions of users. Google Photos had over 500 million users as of May 2017. Android, meanwhile, powers over 2 billion devices, although the affected number is likely smaller, as the security vulnerability in question was introduced in Android 4.4 KitKat.

Who, where, and when in Google Photos

The vulnerability found in the web version of Google Photos could expose users’ location over time, as well as who they were with when photos were taken. Imperva’s Ron Masas penned a blog post detailing the issue and how he found it.

Google Photos uses metadata from your images, along with Google-powered machine learning like facial recognition, to generate a treasure trove of information. For example, it can recognize your son’s face in a photo and automatically tag him in every image in which he appears, even as he grows and changes over the years — whether he’s smiling, frowning, or not even directly facing the camera. Shots you take with your phone are tagged with precise geographical location information. If you upload additional photos taken with a DSLR that doesn’t geotag images automatically, the engine is still able to make an educated guess as to the location based on context.

Much of that information is user-searchable within a Google Photos account, and Masas found a way to use a side-channel attack to exploit it. “After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack,” he wrote. “I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger.”

From there, he was able to determine the time it took the service to perform a search query that returned zero results. When he performed a search that took any amount of time over the baseline, he knew Google Photos was returning results of some kind. With a certain level of access, a bad actor can throw searches at your Google Photos account and use the timing to learn which terms return a result.

Querying the names of countries or cities could tell the attacker that you were in Spain or New York City, for instance. Including the date or a date range in a search establishes the “when,” and adding names can reveal who you were with. Masas said that for a hacker to acquire that level of exposure, they would need to get a user to open a malicious website or land on a page with malicious JavaScript in a web ad while logged into Google Photos. Most likely, bad actors would use a phishing scheme to bait the user.

WebView at fault

Positive Technologies said in a press release that the vulnerability (CVE-2019-5765) it found affects Android 4.4 and later, and the WebView component is to blame. On its developer site, Google explains that “WebView is useful when you need increased control over the UI and advanced configuration options that will allow you to embed web pages in a specially designed environment for your app.” WebView is fundamental to Android’s Instant Apps, a feature that essentially lets you try out an app on your phone without having to download the whole thing.

Because WebView is part of the Chromium engine, Positive Technologies said that any Chromium-based browser is vulnerable. Google Chrome is more popular, but the Samsung Internet Browser and Yandex Browser are affected as well.

Positive Technologies’ Leigh-Anne Galloway described how an attack could work: “The most obvious attack scenario involves little-known third-party applications. After an update containing a malicious payload, such applications could read information from WebView.” She said that attackers would then have access to users’ browser history, authentication tokens, headers, and more.

Patched

The Google Photos vulnerability has already been patched. A simple Chrome browser update should abate any threat from the WebView issue for those using Android 7.0 or higher, because the bug was patched in Chrome 72 (released in January). Users running earlier versions of Android will have to update WebView via Google Play. Positive Technologies said that absent Google Play on a given device, users need to get a WebView update directly from the device manufacturer.