It has been reported that a vulnerability in the web version of Google Photos allowed websites to learn a user’s location history based on the images they stored in the account. The flaw affected the Google Photos search endpoint that allows users to quickly find pictures based on aggregated metadata, such as geo-location and date of creation, an artificial intelligence algorithm that can recognize objects and people’s faces after they’ve been tagged.
For the attack to work, victims need to be lured to load a malicious website while they are logged into Google Photos. This is hardly an obstacle, considering how many people use Gmail and that a Google Account signs you into all Google services.
Paul Bischoff, Privacy Advocate at Comparitech:
“Although this vulnerability has now been patched, geo-tagging photos can still be a physical security risk. Adding geo-tags to photos you post online can alert criminals to your whereabouts, which can lead to burglaries, among other crimes. The best way to avoid this is by removing the location permission from both your camera app and the Google Photos app. To strip location info from a photo you already took, open the photo in the Google Photos app and click the three dots in the top right corner, then tap Info. Scroll down to view and remove the geo-tag from a photo.”