A new worrying privacy flaw on Google Photos allows anyone to with a link to view your Google Photos irrespective whether you gave them permission or not. Discovered by Robert Wiblin, the Google Photos privacy flaw allows anyone who has a link you've shared to your photos (even if you specified only a certain Google user to share the photos with) to see them. Worse still, as long as they have the link, they don't even need to be logged in to their Google account to view them and can even do so from an Incognito tab.

Essentially Google Photos creates a link (something that looks like this https://photos.app.goo.gl/...) for a photo or album that you share with someone, what then happens is that should anyone else, who you didn't share the album or photo with, get hold of that link, they can view the photos.

"I’ve noticed something about Google Photos that is really weird. Crazy enough that I’ve told dozens of Photos users and none have believed me. They swear I have to be wrong, until I show them otherwise. Whenever you share a photo with a specific person or account on Google Photos, it creates a link that will allow anyone in the world to view those photos, forever, until you go and manually deactivate that link in an obscure part of the interface," wrote Wiblin.

What's odd is that Google Photos uses a different way for sharing compared to how sharing happens on Google Drive. With Google Drive the sharing options are granular in a sense that you can go to the level of not only specifying who can view a document you've shared, but also what permissions anyone who has the link has. This prevents the situation where someone has the shared document link yet they were not the intended recipient thus preventing them from viewing it.

Not so long ago at the beginning of 2018 there was a flaw discovered in the Google Chrome web browser that allowed almost anyone to steal your saved passwords, form fields, bookmarks and browsing history. At the time, the flaw was reported to Google but the company apparently gave a nonchalant answer.

Share this via: