SecurityThing – Google Photos Bug Lets Criminals In: [04/12/2019]
It’s another Security Thing Friday. Craig talks about the new bug that lets criminals in on the photos we share and upload in Google Photos.
Share This Episode
For Questions, Call or Text:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 04/12/2019
Google Photos Bug Lets Criminals In
Craig Peterson 0:03
Hi, welcome to the Friday edition of It’s a Security Thing. We’re going to talk today a little bit about another type of vulnerability that is kind of more potential it is real and it can be done. It’s not terribly complex. But you have to be a real target in order for it to really hit you at all. And this particular one has to do with Google Photos. Now, you might use Google Photos. There’s a lot of different photo sharing services out there, Flickr was recently purchased. And there is all kinds of data that you have in these different services that you might not realize is there. Now Google Photos is really kind of cool when you get behind the scenes. It knows tons of information about anybody that has uploaded photos to it. And it’s automatically tagging the images. Now it takes the metadata from the image. And if you haven’t stripped it, that includes things like the date and time it was taken, the actual GPS coordinates, the location that it was taken. And then what Google Photos does, is it has kind of an artificial intelligence engine. And it looks for objects and events that might be occurring in the background of the photo. So might look at the picture and say, wow, this looks like a wedding dress, and the groom is all dressed up. And there’s other details that might indicate a wedding. So it says, oh, wow, this is a wedding.
Or there’s a waterfall in the background, it’s at sunset, it figures out just tons of stuff based on the location and time that are in the picture, as well as the picture contents itself. It’s a really good, really quite cool. It’s also using facial recognition, and using that to tag people who are also present in the photos. So here’s what happens with Google Photos search engine. I just love this idea. I’m tempted to upload photos to it because of this. But in the Google Photos search engine, you can do a search like photos of me and Karen from Paris 2017. And Google Photos knows enough information to be able to find it. I could say Google Photos of me in Paris in Google Photos of me in wherever it was I was at or near this or near that. It’s very impressive what Google’s doing. So a security researcher decided, Hmm, I wonder what I can do here. And he went in, I’m trying to find his name. Its Massas, I think, is it? Yeah, it’s Ron Massas. And he went in and he said, I wonder if this data could be hacked? And he found that indeed, it could be but only under some pretty specific circumstances, which people could be tricked into doing. And then it can find out things about, you know, obviously, this would be for very specific type of attack. They’re doing spearphishing. And you if you listen to my interviews this week on the radio, you know, a lot about spearphishing, more than you might want to know and sextortions that are going on right now.
So he was able to do a side attack on Google Photos, and was able to figure out what people had done, where they had gone at what they had done when they were there various other things. Again, it’s a kind of a complex thing. But it does make me think and probably makes you think about Google and these other sites. All of the stuff we have put out there, and that we’ve given Google and these other companies access to. Is it legit? Is it something we should be doing? And that’s the reason I haven’t uploaded my photos to Google Photos. Because I’m not sure I want Google to know about all this stuff. And I most particularly don’t want Google to end up selling that information or being hacked, and having that information stolen, because that happens all too often not so much with Google, although it does happen with them. But with information that we upload all the time. Remember, yesterday, we’re talking about software as a service. And Apple is very good about not mining data to advertise. Apple makes its money by selling new hardware and some software. Google makes its money by analyze you and trying to figure out everything it can about you so that it can sell your information to advertisers. So up to you what you want to do. But again, here’s another risk. And I bet most of us just didn’t know, Google was doing all of this with photos we uploaded to Google Photos. I certainly didn’t.
Alright, everybody. Have a great weekend. Make sure you tune in on Saturday morning. You should be getting my emails if not go to http://CraigPeterson.com/subscribe. But once you get my emails, you will see all of the articles I talked about during the week. And it’s important to keep up on all of that stuff. And also you can listen you can just click and listen right there to this week, Saturday show podcast. All of that stuff right there at http://CraigPeterson.com. So I’ll be back Saturday, and then I’ll be back to my regular schedule Monday through Friday with podcasts next week. Thanks everybody. Make sure you subscribe. http://CraigPeterson.com/iTunes. You’ll find me right there or /TuneIn. I’m on a whole bunch of sites out there, but subscribing really helps. Because that raises us in the chart and lets people know that hey, they might want to listen to the show too. Take care everybody. Bye bye.