A bug was discovered this week in Google Photos, where all photos in a users Google Photo account could have their metadata easily read and collected. Bad actors would target a particular query, for example, a location, and then measure the time it takes for the website to respond. Even though the response might be an access denied, there is value in knowing it’s presence or not. It is possible to confirm or deny the presence of particular tags in the photo when using this cross site search method of attack.
Location is probably one of the more dangerous pieces of information that can be leaked using this attack as it is possible to build a timeline of the victim’s travels and location using consecutive searches. In the original report of this issue, the researcher was able to divine the approximate date and time of a visit to another country using a malicious website by interacting with a logged in google photos account.
While this attack doesn’t give any access to the photos themselves, or anything other than whether or not the specified terms/queries exist, the benefits can be extrapolated out to schedules and can allow for more finely crafted malvertisements or phishing attempts. One could imagine a malware ridden site harvesting emails, gaining access to location information, and then sending malicious emails being sent concerning issues with travel expenses to a location which is lent more credence by the fact that our victim has traveled to the given location within the time frame that the email is sent.
While this exploit in particular has been patched, there are countless other browser side attacks that can be exploited, and safeguarding your data is paramount. This attack shows how a clever adversary can wield information no matter how small the leakage. Tools are available for content control to prevent data leakage. Tools such as PuriFile can help you manage metadata, scrub documents of sensitive terms and information, and even help detect data that may be obfuscated.
Thanks to Peraton for this information
For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:
Dubsmash (162 million),
MyFitnessPal (151 million),
MyHeritage (92 million),
ShareThis (41 million),
HauteLook (28 million),
Animoto (25 million),
EyeEm (22 million),
8fit (20 million),
Whitepages (18 million),
Fotolog (16 million),
500px (15 million),
Armor Games (11 million),
BookMate (8 million),
CoffeeMeetsBagel (6 million),
Artsy (1 million), and
The hacker told The Register that his goal in putting up the stolen accounts was to ‘make life easier for hackers’. He plans to sell the information to anyone who promises to keep the data secret. This attacker has been hacking accounts since 2012 and information on at least 20 databases.
Further, the hacker stated:
“I don’t think I am deeply evil. I need the money”“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”
To read the full article go here