A bug in Google Home app allows user to access Google Photos from unknown Google users. This is a massive breach of privacy.
Yesterday a movie reviewer from Chennai posted on twitter that he was seeing random accounts in the “Linked Accounts” setting of Google Home App while connecting to his Android TV.
He tweeted:
https://twitter.com/wothadei/status/1102089147596992512
When I access my Vu Android TV through the @Google
Home app, and check the linked accounts, it basically lists what I imagine is every single person who owns this television. This is shocking incompetence.
However when he tried to add screensaver from “Google Photos” in the “Ambient mode” he was presented with the same list of linked accounts. He randomly selected an account.
Voila!, private pictures from Google Photos of that account were displayed on his Android TV. At this point Mr. Prashant tagged Google and Google India to address the issue.
https://twitter.com/wothadei/status/1102090934739595264
Oh my god. Private @googlephotos
of strangers are being shown to me in the ambient mode screensaver. SERIOUSLY WHAT THE FUCK?! @Google
@GoogleIndia
Google after asking basic security questions didn’t acknowledge that the bug resides in Google Accounts authentication mechanism and directed Mr. Prashant to contact the TV manufacturer.
Read More: Facebook Bug Exposed Photos of 7M Users
However some other users have confirmed that the same issue can be reproduced on Android TVs by different manufacturers.
This is a massive breach of privacy of Google Photos users and as of this time Google has not yet acknowledged it.
We have not received any reply from Google at the time of publication.