Did you know that the default link sharing option in Google Photos allows anyone with the link to view the files and all images shared in Google Hangouts that are publicly accessible? In this edition of our leaky app series, we will cover how image link sharing in Google Hangouts and Google Photos can lead to the accidental public exposure of sensitive data. We will also look at the threat detection capabilities of Google Photos and Google Hangouts. Whereas files uploaded to Google Drive are scanned for malicious content, no such scanning occurs in Photos or Hangouts.
This post is part of a series highlighting data exposure concerns in Google Calendar, Google Groups, Google link sharing, Zendesk, and O365 link sharing. We will highlight the exposure concerns, detection gaps in Google services, Netskope’s CTEP capability, and a method for data exfiltration.
Google Hangouts
In Google Hangouts, users can share images and videos alongside their chat conversations. Every image shared in Google Hangouts generates a public link, as shown in Figure 1.
The generated link is accessible to anyone without any authentication. On top of this, the link remains valid indefinitely, unless the image is deleted from the Google Album Archive. Furthermore, this is true even of images uploaded when the “conversation history” is disabled. Even though the conversation itself is not retained, the images shared while the history is disabled are.
Google Photos
Alongside Google Hangouts, Google Photos also allows users to upload and share photos and videos. The photos and videos shared have the default permission to let anyone with the link to see the photos or albums as shown in Figure 2.