Google+ images security hole

On 16/04/2014, in Security, by Norman Dean

I just found a major flaw in the security of Google+ images for the privacy of images sent between Google hangout app users. For Android users who are using the Hangout app instead of the normal SMS app more than likely are having their private messages and pictures stored on a Google+ server, and there is a giant gaping security flaw in how access to those images are doled out. Basically there is no access restriction if you have a link.

Lets say you have a private chat using Hangout, you send a few confidential images to each other. Google automatically stores them on Google+ images formally Picasa. You and the other person are the only ones that are supposed to be able to see the images, BUT if you copy the link to the image there is a free in the clear no account login required access to that image!

The image below is not supposed to be viewable


Comments are closed.