Bug potentially exposes other users’ private Google Photos on Android TV devices

Android TV is Google’s Android OS modified for TVs and digital media players. The whole Android TV experience differs from Android mainly through its interface, which focuses a lot on voice search and content discovery. While we don’t hear very often about Android TV and the updates Google has planned for the OS, the internet giant did announce Android Pie for Android TV back in Google IO 2018. Other than that, there really isn’t all that much you can do with a TV, other than consuming content.

However, somewhere along the path of content discovery, we may have accidentally discovered too much “content”. A newfound bug in Android TV and the Google Home app has allowed users to list out practically every account that is connected to an Android TV device.

As discovered by @wothadei when he tried to access his Vu Android TV device through the Google Home app, he could check out the linked accounts of a lot of users. What’s worse, personal photos linked to these accounts on Google Photos could have been easily displayed through the Ambient Mode screensaver settings, as demonstrated here:

The user later on reset their Android TV, which has prevented them from accessing any image on Google Photos, even their own. It is also likely that photos of strangers weren’t actually shown, and just the accounts were listed; but that by itself is a cause of privacy concern that cannot be underplayed. The TV is from Vu, runs Android 7 and has not received any security patches since 2017. The same issue does not exist on the Mi Box 3 running Android 8 Oreo, but another user has chimed in to confirm that the issue is not restricted to the manufacturer Vu, but may be related to Android TV, Google accounts or the Google Home app.

For now, there is no fix or workaround. Your account may be accessible to other users on Android TV, even if you are on a private network.

We have reached out to Google for a comment. We’ll update the article when we receive a response.


Source: Twitter: @wothadei



Refference - xdadevelopers.com

Post a Comment

0 Comments