Android TV Bug Gave Users Access To Strangers' Google Photos

Over the weekend, a disturbed Android TV owner took to Twitter when he realized, through the Google Home app, he could access a massive list of random accounts, as well as photos they'd added to their Google Photos albums. From a report: If someone were to click on "linked accounts" while setting your Google Photos screensaver, the Google Home bug apparently showed a giant, scrolling list of users. From there, the bug allowed limited access to users' personal images in Google Photos, which could then be displayed as Ambient Mode screensavers. That is, someone could have theoretically displayed your photos as screensavers on their Android TV without you knowing it. The user who discovered this bug theorized that the list of accounts were other users with the same TV model, but that hasn't been confirmed yet. There's no answer yet on where this bug came from, but Google is working on a fix and has disabled Google Photos screensavers in the meantime.

IOT

web 3.0!!!

Strangers'

Are they really strangers after that?

Re:Strangers'

I thought "the stranger" was when you sat on your left hand while masturbating to other people's Google Home photos?

Protect Yourself!

[forkfail]

Not everything has to be a "smart device" - the more you have, the more chance your data will be compromised and exposed (sooner).

Just buy a regular "dumb TV".

Oh, wait. You can't. But at least it's a Good Thing (tm) for you!

Re:Protect Yourself!

It's a shame that common sense isn't a smart device. People would actually buy it if is was.

Re:Protect Yourself!

[oliver253]

Larger computer monitors work quite well as TV. A couple of HDMI inputs and you're good to go. Some even come with a remote control and small speakers, if you need them.

Re:Protect Yourself!

[Gravis+Zero]

No fellow human. Just buy a regular "smart device" because the more you have, the more chance your data will be compromised and exposed is it's a Good Thing (tm) for you!

The more we learn, the more it's a Good Thing (tm) for you!

Fellow human, do not Just buy a regular "dumb TV".

Goodbye, fellow human. Do not let the bed bugs itch.

Re:Protect Yourself!

A smart TV is a lot less smart without internet access

Re:Protect Yourself!

Easy to found a 1080 or 4k projector without built-in smarts. With the long-lasting bulbs being used in projectors today, I use mine for all my television watching. Note: it helps to have a room that can be darkened.

Re:Protect Yourself!

[geekmux]

It's a shame that common sense isn't a smart device. People would actually buy it if is was.

That's a laugh.

Common sense isn't popular because it doesn't come in a cool form factor.

Common sense isn't popular because ignorance and stupidity, is. And society seems to enjoy rewarding stupidity these days.

Re:Protect Yourself!

You realize that this is more of a problem for the people who uploaded their pictures to Google Photos and less so for the owners of these smart TVs, right? I mean, I suppose there's a chance you'd see somebody else's picture that could scar you for life, but I'd be more concerned about my private pictures becoming public.

Re: Protect Yourself!

Just buy a projector. It seems that they leave the apps off of most projectors I've seen.

Re:Protect Yourself!

[pauljlucas]

Can you give links to any computer monitors that have a comparable price to otherwise comparable-sized smart TVs? (AFAIK, size-comparable monitors are way more expensive than their smart TV counterparts.)

Re:Protect Yourself!

[antdude]

Go back to CRT TVs and computer monitors. :P

Google, we are not surprised

One of those situations where if you're going to trust a 3rd party to store your pictures then perhaps you should find a place that allows you to upload encrypted files.

Re:Google, we are not surprised

[Solandri]

Encrypted = paid. One of the attractions of Google Photos is that they give you free unlimited storage for photos up to 2048x2048 (and videos up to 1080p and 15 minutes IIRC). But in order to qualify, their servers have to be able to confirm that it's actually a photo, which means it has to be unencrypted.

Also, unlike things like your SSN or drivers license, your photos cannot be used for indirect financial gain (identity theft). The most a stranger can do is look at them (you're still protected by copyright if someone uses them for commercial purposes without your permission). So unless you're a celebrity or in the habit of taking nude photos of yourself, you probably don't really care if other people see your photos. And so won't pay extra to store them in encrypted form to keep them secure. If you're that paranoid about people seeing you, you should be wearing a burka whenever you go outside.

Re:Google, we are not surprised

[sexconker]

Encrypted = paid. One of the attractions of Google Photos is that they give you free unlimited storage for photos up to 2048x2048 (and videos up to 1080p and 15 minutes IIRC). But in order to qualify, their servers have to be able to confirm that it's actually a photo, which means it has to be unencrypted.

It's trivial to embed any data file you want into an image. You can even make it very resilient against recompression.
There are plenty of instructional JPEGs floating around the web that are a valid JPEG picture with text drawn on them, typically instructions telling you what the file contains, what you can do with it, and how to use it. Typically, you just open it as a zip file, but there are plenty of other methods.

Re:Google, we are not surprised

[terrycarlino]

If you don't think Google is working on a way to milk useful information from the petabytes of visual information it stores every day then I think you are very naive.

Lets pick out some easy stuff first. How about cataloging any obvious name brands in any of your pictures? It sure would give Google a good idea of which products to pitch to you. How about geolocating? You have a lot of pictures from the beach? Which ones? Does that mean you're open for pitches for vacations in the Bahamas? Hawaii? Carolina's Outer Bank? How about facial recognition? Do you know anybody Google might like more information on? How about anyone the FBI, NSA or some other three letter agency might like to know you know? We won't even talk about why you have one picture with the woman next store and your wife, but she seems to have lots of pictures of the two of you together without your wife.

You can see where this is going.

ANDROID? Impossible, it's so fucking secure!

Lol.

Double Jeopardy

[SuperKendall]

Google is working on a fix and has disabled Google Photos screensavers in the meantime.

This stinks not only in that your photos might be exposed, but suddenly a feature you expected to be there to show off some photos of your own to others is disabled. So literally other people could now see your photos in a way you cannot (if they somehow blocked the shut-off update).

Re: Double Jeopardy

Who even owns these devices? I never met anyone in my entire life with such a thing. And who is grabbing all these user photos? And why is Google not testing stuff like this before they go out and sell things?

Re:Double Jeopardy

Is it possible to ask Elon Musk if he has a solution to this? Maybe someone he respects, like Donald Trump, who is an expert in this kind of thing, could ask him to work on a privacy respecting photo library based screensaver. There are very few people in the world who are qualified to do this kind of thing, but I think Musk is one of them.

Re:Double Jeopardy

Yeah, the fact that they're considering this a bug with the android TV platform is very discouraging. Sure, there's a configuration wrong there, but the real bug is with the security model of the google photos service which is granting unauthorized users access.

Dumbass

[Red_Forman]

If you put your photos online, you have to assume that everyone on the planet will be able to see them one day.

Re:Dumbass

I used to have a spare 40 inch panel cycling photos off a usb stick like a giant digital picture frame. It got annoying. I gave it away and hung a painting there.

Re:Dumbass

[Solandri]

It's not that simple. I've had to help a dozen or so people try to recover "irreplaceable" photos from a dead phone or hard drive. I've never had someone complain that their online photos were seen by unauthorized persons. And in fact, I suspect the people who lost their photos would've gladly accepted strangers viewing their photos if it meant they had them back. So on balance, it's a risk worth taking for most people, and I recommend people backup their important photos to the cloud. Google Photos is a good choice because they give you free unlimited storage of photos up to 2048x2048 resolution (it has an option to automatically downsize larger photos). (The other services I recommend are Amazon Prime - unlimited storage of photos of any size, and Office 365 - inclues 1 TB of cloud storage.)

Totally agree with you that unless encrypted, private documents like will or your master password list, or private porn you made with your SO do not belong on the cloud. But for regular photos documenting important moments in your and your children's lives, the risk of losing everything in a fire or robbery is greater than the risk of an unauthorized person viewing them online. So back them up to the cloud. It's the lesser of two evils.

Re:Dumbass

[Red_Forman]

It got annoying because you're a dumbass. You just had to change the cycling timer to a much longer period, such as a few hours or even a day.

Re:Dumbass

If you're going to go through the hassle of teaching someone how to do a backup, why should you start with the cloud? Teach them how to do backups on external drives, and if things are really important for them, then include extra drives and rotate them to go offsite. Bonus, restoring terabytes is a lot quicker to do over a USB drive than it is online.

Re:Dumbass

All your emails are online at one point in their lifecycle. Do you assume they are all publicly available or locked behind your account? This is Google unlocking your account for other people and letting everyone read your emails.

TVs should not be "smart"

[Stormwatch]

A TV is supposed to do ONE thing: take a signal and display it. Stretching things a bit, it could play media files from an USB stick. There, done. Nothing beyond that. It's not supposed to go online, it's not supposed to run applications, it's not a computer, it's a goddamn TV. If I wanted to make it "smart" I'd just buy some $30 media box.

Lies

Google is lying about taking your privacy seriously, otherwise the photos would be encrypted and the TV would have only accessed cipher text photos.

Instead they are evil.

cut the cord one device at a time

You do not need to have connected device beyond a computer and a cell phone.

You don't need more than a handful of apps.

You don't need paid streaming services or paid cable, sat TV.

Not a bug on the TV

If a bug on the client is giving it access to server content it shouldn't be able to see, there's a serious problem with the security design on the server.

The Real Story

[SuperKendall]

Who even owns these devices? I never met anyone in my entire life with such a thing.

I have to admit the only surprise for me in this story, was that anyone had uploaded photos on these devices to find...

Something else you don't own

There's no answer yet on where this bug came from, but Google is working on a fix and has disabled Google Photos screensavers in the meantime.

Remember, kiddies: when you "buy" anything from Google or Apple you're really only renting it.

Vindication

Yet another example of why you shouldn't back up your personal stuff to services like Google Pictures or Apple etc. I often find myself explaining to friends and family why I don't post personal pictures online or use social media. The simple fact is, once you give your data to a third party, there is an increased risk of it getting into the hands of people you don't want it to. Viz the article we're reading today, the Fappening (eek, imagine your nudes leaking) etc.

There are plenty of viable offline solutions that are hardly anymore difficult than uploading your pictures to the web. For instance my phone syncs my pics/vids daily with my NAS, they're backed up once a week to another old server I had lying around (along with documents), and I keep another copy on a rugged hard drive I usually have with me.

Re:ANDROID? Impossible, it's so fucking secure!

You do know what company owns all the services that were compromised for The Fappening, right, Applel shill?

Silo and Atyme(?)

Those are two brands Fry's sells as their 'budget 2160p' tvs. As I understand it both models are linux based, like all the smart TVs but lack wifi or ethernet, leaving the usb port, HDMI-CEC, or ethernet over hdmi as the only possible routes of data leakage. Now mind you they are budget screens that might have more dead pixels, or a slower refresh rate than the Samsung/LG/etc all units, but for many of us that is less of an issue than being spied on all the time.

Do your research, show your support, buy only privacy supporting non-smart TVs. If you can't, move to monitors that hadn't turned smart yet, and plug in a TV tuner on the side :)

Linked accounts are other accounts on the TV

[darrenwsteven]

There's some confusion about the scope of this issue: It's not some massive, random list of users from Googles population, it's a local list of users that have logged into that TV, and linked their account to it. Not ideal, but probably a small group of known associates, who are likely to see your photos anyway. Logging into a shared device is fraught with danger, but we should be able to trust a TV right?