On a good day, Android TV, Google's Android OS for TVs, allows users to display photos from their Google Photos albums as screensavers. That's a nice perk -- when it doesn't potentially share your private photos with strangers. Over the weekend, a disturbed Android TV owner took to Twitter when he realized, through the Google Home app, he could access a massive list of random accounts, as well as photos they'd added to their Google Photos albums.
If someone were to click on "linked accounts" while setting your Google Photos screensaver, the Google Home bug apparently showed a giant, scrolling list of users. From there, the bug allowed limited access to users' personal images in Google Photos, which could then be displayed as Ambient Mode screensavers. That is, someone could have theoretically displayed your photos as screensavers on their Android TV without you knowing it. The user who discovered this bug theorized that the list of accounts were other users with the same TV model, but that hasn't been confirmed yet.
There's no answer yet on where this bug came from, but Google is working on a fix and has disabled Google Photos screensavers in the meantime."We take our users' privacy extremely seriously," a Google spokesperson told XDA Developers. "While we investigate this bug, we have disabled the ability to remotely cast via the Google Assistant or view photos from Google Photos on Android TV devices." At this point, it's not clear how widespread this bug was without Google commenting further, but at least they've closed the hole for now.
When I access my Vu Android TV through the @Google Home app, and check the linked accounts, it basically lists what I imagine is every single person who owns this television. This is shocking incompetence. pic.twitter.com/5DGwrArsco— prashanth (@wothadei) March 3, 2019