Google Photos is by far one of the most popular cloud-based storage solutions that’s integrated within other Google products and services as well. However, it also has a rather simplistic protection layer for the media that users store and share, discovered a researcher. The only thing standing between public exposure of privately shared photos and videos is an obfuscated web-link. Owners of media, who wish to share them with a specific person, are offered a link that can be shared. Essentially, it is Google Photos that creates a link. However, instead of offering or allowing restricted access only to the authorized accounts, anyone with access to the web-link can easily access and view the content.

Google Photo users must be warned about a rather weird loophole that essentially increases the exposure of their private content including photos and users stored on the platform. Private links created to share the media can be easily used by anyone to view the same. In other words, privately shared links became publicly accessible. Needless to say, this is a rather serious oversight, and absurd how Google can allow this to happen.

How Does Privately Shared Media On Google Photos Become Publicly Accessible?

Researcher Robert Wiblin over at 80,000 Hours recently discovered the security lapse which essentially exposed private content stored on Google Photos and made it publicly accessible. He attempted and succeeded to recreate the scenario several times, and on each occasion, the privately shared links are publicly accessible from any Google account. Surprisingly, people who wanted to view the content, including photos and videos, need not be logged into a Google account. In essence, anyone with access to the shared link to Google Photos media, working internet, and a web browser, could simply view the content unrestricted. They would not need specific permissions to access the media, or even a Google account to do so. All that is required is access to the web-link.

Google Relies On Obfuscation As The Only Defense Against Unauthorized Access To Shared Media On Google Photos?

It is clear that Google doesn’t deploy multiple safeguards and digital doorways to prevent unauthorized people from accessing shared images and photos on Google Photos. The search giant relies only on obfuscation of the web-link to the shared content as the only protection that stands between content and authorized or unauthorized access.

In Google’s defense, it is virtually impossible for hackers or people with malicious intent to guess the web-link that grants access to the shared photos and videos. However, in the future, a small flaw may allow hackers to do so by reverse-engineering the algorithm that works to generate the URL. In simple words, brute force attacks, which use powerful computing hardware to guess the URL, may never be able to grant access to shared media on Google Photos.

However, getting access to the correct and complete web-link is ridiculously simple through some other commonly deployed techniques. Third parties, who should not be able to see the content, could easily secure the URL that grants them access on Google Photos. Some of the most common methods of usurping the URL includes network monitoring, accidental sharing, or unencrypted email. Moreover, hackers could deploy social engineering to get people to inadvertently or accidentally share the links. Gaining access to the URL is essentially the only step required. Anyone with access to the link can then simply put the link in any web browser and view the shared media. What’s even more concerning is that unauthorized people can access the content even if they are not signed in to a Google Account.

Google Doesn’t Openly State Such Poor Protection On Google Photos But Does Offer A Security Switch

Robert Wiblin insists that Google Photos does not reveal this fact to the customer. Even more concerning is that there is no definitive way to determine or ascertain the statistics of the media. In other words, there’s no proper information that Google customers may seek to determine how often and by whom the shared photos were viewed.

Google is known for its simplicity and ease of use. The products it develops are usually devoid of the complicated settings page. Users can quickly navigate or even search for a particular setting. More often than not, most of the relevant settings to a particular action or command are visible while executing the same. However, that’s not the case for Google Photos, and particularly for sharing media.

PDA – Google Photos shares are public by default (no way to restrict)

— Sergey Vershinin (@svershin) July 16, 2019

Google Photos offers no clear and direct information on how sharing of the media can be disabled so that others may not access it anymore. Users of the service need to access the sharing menu and hover over the particular shared album. A menu that pops up offers an option to delete the album. There’s however, another way to restrict unauthorized access to shared media on Google Photos. Instead of deleting the entire album, users can search for an option to stop sharing the link in the album options.

This recently discovered and still usable method of accessing content without explicit permission is quite serious. The Google Photos interface is quite similar to Google Drive. Moreover, the two were intrinsically linked until very recently. This makes several users assume that Photos has the same authorization and restrictions as Drive. However, that’s clearly not the case. Moreover, the recent delinking has further complicated the matters.

Interestingly, it may not be that difficult for Google to match the sharing behavior in Google Photos to that of Google Drive. Google Drive treats private shares in a similar manner to “Private” videos on YouTube. Only authorized viewers can access such videos. However, Google Photos appears to treat the media as ‘Unlisted’ videos on YouTube. If a person has a link to the video he can easily watch the same. If Photos starts to add authentication and restriction rules within the URL or at the landing page, then the media could be safeguarded from unauthorized access.