Following the discovery of a bug that showed hundreds of Google accounts as being linked to unrelated individual users, Google has temporarily shut down Photos on Android TV. The mysterious software flaw demonstrated potential privacy concerns, and the company said a fix is in the works.
According to Android Police, Google decided to pull the plug on its Photo service shortly after receiving a report from Twitter user Prashanth that he was seeing an enormous list of Google users in his linked accounts menu. Prashanth was using a 55-inch Vu LED TV when he noticed the endless scroll of unfamiliar user names and profile photos displaying on his screen.
Initially, a Google support Twitter account recommended that Prashanth contact the manufacturer of his TV. But then another Twitter user chimed in to say they were having the same issue and posted screenshots taken from his iFFalcon television that’s equipped with Android TV. Thankfully, none of the private photos of the erroneously linked accounts were accessible. The two users who posted about the bug were running Android 7.0 and Android 8.0 Oreo, respectively, so it appears that the issue is present in multiple iterations of the software. But Prashanth said he was unable to replicate the bug on his Android TV-equipped Xiaomi Mi Box 3.
When it became clear that the problem was most likely related to its software, Google decided to shut the feature down while it investigates further. The Google support account tweeted the following statement: “We take any report like this very seriously, so in the meantime, we’re disabling Google Photos for Android TV and the ability to remotely cast via the Google Assistant.”
While it appears private photos were inaccessible, that doesn’t mean a bad actor who knows what they’re doing couldn’t exploit the security hole to get their hands on users’ pics or otherwise use the account names to target users. As we saw with the iCloud leak of 2014, that sort of incident can spin wildly out of control.
We’ve asked Google if it has any further information about releasing a fix but we did not receive an immediate reply. We’ll update this post when we know more.