Google has discovered a massive bug in Android TV. The company’s Google Home app used to manage Android TV’s linked accounts feature is letting people access other users’ data.
The issue, which only seems to affect some Android TVs, allows you to view and access data of other users with the same TV. A Twitter user first discovered the bug on their Vu Android TV, allowing them to view other users under the Linked Accounts on Google Home app with the same TV (via Ars Technica):
And that is not a huge problem — but things are about to get really worse.
On TVs that allow you to show pictures in the ambient mode screensaver, you can literally use photos from strangers and access the photos without their knowledge. Because their accounts appear as part of your other accounts within the Google Home app, you can literally get access to these people’s photos without them knowing. And that means these users can also access your own photos on Google Photos. The bug allowed users to view the profile pictures of other users, without having any connection with them. Although it was originally reported that you were able to access someone’s photos from Google Photos, it turns out that you can only see their profile pictures. Still, with Google refusing to comment on how widespread the issue is, or how exactly it’s affecting users, the whole situation is quite concerning.
The manufacturer of the Android TV stated that the issue was due to a software malfunction on the Google Home app, and it’s not a problem with its own TVs. Google first tried to blame the issue on the TV manufacturer, even going as far as telling the user to reach out to the TV manufacturer about the issue. The company later accepted defeat and disabled the Google Photos integration on Android TV devices as it looks into fixing the issue.
Update: the story was updated with a correction regarding how the flaw only exposes your profile pictures.