A researcher from Imperva found a couple of security vulnerabilities (now patched) in Google Photos and Android. They were able to perform a side-channel attack to get metadata from peoples’ accounts.
Google Photos Threat
A side-channel attack is based on weaknesses you find by using a service and how that service is implemented, instead of it being a bug in the code. In this instance, Ron Masas found that a Google Photos search endpoint was vulnerable to a browser-based timing attack called Cross-Site Search (XS-Search).
Next, I timed the following query “photos of me from Iceland” and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland.
By adding a date to the search, he could figure out if a photo was taken in a specific time range. By doing this multiple times with different time ranges, he could make a guess on when that person visited the place they took the photo. Eventually, Mr. Masas was able to find the entire location history.
Google has since fixed the vulnerabilities.