Android TV Bug Gave Users Access To Strangers' Google Photos

Over the weekend, a disturbed Android TV owner took to Twitter when he realized, through the Google Home app, he could access a massive list of random accounts, as well as photos they'd added to their Google Photos albums. From a report: If someone were to click on "linked accounts" while setting your Google Photos screensaver, the Google Home bug apparently showed a giant, scrolling list of users. From there, the bug allowed limited access to users' personal images in Google Photos, which could then be displayed as Ambient Mode screensavers. That is, someone could have theoretically displayed your photos as screensavers on their Android TV without you knowing it. The user who discovered this bug theorized that the list of accounts were other users with the same TV model, but that hasn't been confirmed yet. There's no answer yet on where this bug came from, but Google is working on a fix and has disabled Google Photos screensavers in the meantime.

Protect Yourself!

[forkfail]

Not everything has to be a "smart device" - the more you have, the more chance your data will be compromised and exposed (sooner).

Just buy a regular "dumb TV".

Oh, wait. You can't. But at least it's a Good Thing (tm) for you!

Re:Protect Yourself!

[Gravis+Zero]

No fellow human. Just buy a regular "smart device" because the more you have, the more chance your data will be compromised and exposed is it's a Good Thing (tm) for you!

The more we learn, the more it's a Good Thing (tm) for you!

Fellow human, do not Just buy a regular "dumb TV".

Goodbye, fellow human. Do not let the bed bugs itch.

Google, we are not surprised

One of those situations where if you're going to trust a 3rd party to store your pictures then perhaps you should find a place that allows you to upload encrypted files.

Dumbass

[Red_Forman]

If you put your photos online, you have to assume that everyone on the planet will be able to see them one day.

Re:Dumbass

[Solandri]

It's not that simple. I've had to help a dozen or so people try to recover "irreplaceable" photos from a dead phone or hard drive. I've never had someone complain that their online photos were seen by unauthorized persons. And in fact, I suspect the people who lost their photos would've gladly accepted strangers viewing their photos if it meant they had them back. So on balance, it's a risk worth taking for most people, and I recommend people backup their important photos to the cloud. Google Photos is a good choice because they give you free unlimited storage of photos up to 2048x2048 resolution (it has an option to automatically downsize larger photos). (The other services I recommend are Amazon Prime - unlimited storage of photos of any size, and Office 365 - inclues 1 TB of cloud storage.)

Totally agree with you that unless encrypted, private documents like will or your master password list, or private porn you made with your SO do not belong on the cloud. But for regular photos documenting important moments in your and your children's lives, the risk of losing everything in a fire or robbery is greater than the risk of an unauthorized person viewing them online. So back them up to the cloud. It's the lesser of two evils.

TVs should not be "smart"

[Stormwatch]

A TV is supposed to do ONE thing: take a signal and display it. Stretching things a bit, it could play media files from an USB stick. There, done. Nothing beyond that. It's not supposed to go online, it's not supposed to run applications, it's not a computer, it's a goddamn TV. If I wanted to make it "smart" I'd just buy some $30 media box.

Not a bug on the TV

If a bug on the client is giving it access to server content it shouldn't be able to see, there's a serious problem with the security design on the server.