Hackers could track you using Google Photos

Hackers could have tracked you using a now patched bug in the web version of Google Photos, according to researchers at security firm Imperva.

Imperva’s Ron Masas revealed the news in a blog post on Wednesday. The bug stemmed from the service’s search functionality and has reportedly since been fixed b Google. But while open he found it could be used to “approximate” the time and place photos were taken.

“In my proof of concept, I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger. I used this information to calculate the baseline time,” he explained.

“Next, I timed the following query ‘photos of me from Iceland’ and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland.”

Related: Best free antivirus software

It’s unclear if the vulnerability was actively targeted by hackers, so the damage could be very limited. According to Masas to exploit users criminals would need to trick them into visiting a malicious web page while logged into Google Photos.

“This can be done by sending a victim a direct message on a popular messaging service or email, or by embedding malicious Javascript inside a web ad,” he explained.

“The JavaScript code will silently generate requests to the Google Photos search endpoint, extracting Boolean answers to any query the attacker wants.”

Related: Best Android apps

The news follows reports that two thirds of Android antivirus apps are “pure snake oil”. The news broke when Austrian antivirus testers AV-Comparatives examined the effectiveness of 250 Android antivirus apps.

Nervous someone may have used your Google Photos to snoop? Let us know on Twitter @TrustedReviews