Android TV Bug Gave Users Access To Strangers' Google Photos

Over the weekend, a disturbed Android TV owner took to Twitter when he realized, through the Google Home app, he could access a massive list of random accounts, as well as photos they'd added to their Google Photos albums. From a report: If someone were to click on "linked accounts" while setting your Google Photos screensaver, the Google Home bug apparently showed a giant, scrolling list of users. From there, the bug allowed limited access to users' personal images in Google Photos, which could then be displayed as Ambient Mode screensavers. That is, someone could have theoretically displayed your photos as screensavers on their Android TV without you knowing it. The user who discovered this bug theorized that the list of accounts were other users with the same TV model, but that hasn't been confirmed yet. There's no answer yet on where this bug came from, but Google is working on a fix and has disabled Google Photos screensavers in the meantime.

Protect Yourself!

[forkfail]

Not everything has to be a "smart device" - the more you have, the more chance your data will be compromised and exposed (sooner).

Just buy a regular "dumb TV".

Oh, wait. You can't. But at least it's a Good Thing (tm) for you! [slashdot.org]

Re:

[geekmux]

It's a shame that common sense isn't a smart device. People would actually buy it if is was.

That's a laugh.

Common sense isn't popular because it doesn't come in a cool form factor.

Common sense isn't popular because ignorance and stupidity, is. And society seems to enjoy rewarding stupidity these days.

Re:

[oliver253]

Larger computer monitors work quite well as TV. A couple of HDMI inputs and you're good to go. Some even come with a remote control and small speakers, if you need them.

Re:

[pauljlucas]

Can you give links to any computer monitors that have a comparable price to otherwise comparable-sized smart TVs? (AFAIK, size-comparable monitors are way more expensive than their smart TV counterparts.)

Re:

[Gravis Zero]

No fellow human. Just buy a regular "smart device" because the more you have, the more chance your data will be compromised and exposed is it's a Good Thing (tm) for you!

The more we learn, the more it's a Good Thing (tm) for you!

Fellow human, do not Just buy a regular "dumb TV".

Goodbye, fellow human. Do not let the bed bugs itch.

Re:

[antdude]

Go back to CRT TVs and computer monitors. :P

Google, we are not surprised

[Anonymous Coward]

One of those situations where if you're going to trust a 3rd party to store your pictures then perhaps you should find a place that allows you to upload encrypted files.

Re:

[Solandri]

Encrypted = paid. One of the attractions of Google Photos is that they give you free unlimited storage for photos up to 2048x2048 (and videos up to 1080p and 15 minutes IIRC). But in order to qualify, their servers have to be able to confirm that it's actually a photo, which means it has to be unencrypted.

Also, unlike things like your SSN or drivers license, your photos cannot be used for indirect financial gain (identity theft). The most a stranger can do is look at them (you're still protected by c

Re:

[sexconker]

Encrypted = paid. One of the attractions of Google Photos is that they give you free unlimited storage for photos up to 2048x2048 (and videos up to 1080p and 15 minutes IIRC). But in order to qualify, their servers have to be able to confirm that it's actually a photo, which means it has to be unencrypted.

It's trivial to embed any data file you want into an image. You can even make it very resilient against recompression.
There are plenty of instructional JPEGs floating around the web that are a valid JPEG picture with text drawn on them, typically instructions telling you what the file contains, what you can do with it, and how to use it. Typically, you just open it as a zip file, but there are plenty of other methods.

Re:

[Terry Carlino]

If you don't think Google is working on a way to milk useful information from the petabytes of visual information it stores every day then I think you are very naive.

Lets pick out some easy stuff first. How about cataloging any obvious name brands in any of your pictures? It sure would give Google a good idea of which products to pitch to you. How about geolocating? You have a lot of pictures from the beach? Which ones? Does that mean you're open for pitches for vacations in the Bahamas? Hawaii? Carolina's

Double Jeopardy

[SuperKendall]

Google is working on a fix and has disabled Google Photos screensavers in the meantime.

This stinks not only in that your photos might be exposed, but suddenly a feature you expected to be there to show off some photos of your own to others is disabled. So literally other people could now see your photos in a way you cannot (if they somehow blocked the shut-off update).

The Real Story

[SuperKendall]

Who even owns these devices? I never met anyone in my entire life with such a thing.

I have to admit the only surprise for me in this story, was that anyone had uploaded photos on these devices to find...

Re:

[Anonymous Coward]

Yeah, the fact that they're considering this a bug with the android TV platform is very discouraging. Sure, there's a configuration wrong there, but the real bug is with the security model of the google photos service which is granting unauthorized users access.

Dumbass

[Red_Forman]

If you put your photos online, you have to assume that everyone on the planet will be able to see them one day.

Re:

[Red_Forman]

It got annoying because you're a dumbass. You just had to change the cycling timer to a much longer period, such as a few hours or even a day.

Re:Dumbass

[Solandri]

It's not that simple. I've had to help a dozen or so people try to recover "irreplaceable" photos from a dead phone or hard drive. I've never had someone complain that their online photos were seen by unauthorized persons. And in fact, I suspect the people who lost their photos would've gladly accepted strangers viewing their photos if it meant they had them back. So on balance, it's a risk worth taking for most people, and I recommend people backup their important photos to the cloud. Google Photos is a good choice because they give you free unlimited storage of photos up to 2048x2048 resolution (it has an option to automatically downsize larger photos). (The other services I recommend are Amazon Prime - unlimited storage of photos of any size, and Office 365 - inclues 1 TB of cloud storage.)

Totally agree with you that unless encrypted, private documents like will or your master password list, or private porn you made with your SO do not belong on the cloud. But for regular photos documenting important moments in your and your children's lives, the risk of losing everything in a fire or robbery is greater than the risk of an unauthorized person viewing them online. So back them up to the cloud. It's the lesser of two evils.

TVs should not be "smart"

[Stormwatch]

A TV is supposed to do ONE thing: take a signal and display it. Stretching things a bit, it could play media files from an USB stick. There, done. Nothing beyond that. It's not supposed to go online, it's not supposed to run applications, it's not a computer, it's a goddamn TV. If I wanted to make it "smart" I'd just buy some $30 media box.

Not a bug on the TV

[Anonymous Coward]

If a bug on the client is giving it access to server content it shouldn't be able to see, there's a serious problem with the security design on the server.

Linked accounts are other accounts on the TV

[Darren Steven]

There's some confusion about the scope of this issue: It's not some massive, random list of users from Googles population, it's a local list of users that have logged into that TV, and linked their account to it. Not ideal, but probably a small group of known associates, who are likely to see your photos anyway. Logging into a shared device is fraught with danger, but we should be able to trust a TV right?