[Update 2: Vu’s Statement] Bug potentially exposes other users’ private Google Photos on Android TV devices

[Update 2: Vu’s Statement] Bug potentially exposes other users’ private Google Photos on Android TV devices

Update 3/4/19 11:35 AM: After Google issued a response, Vu has now shared a statement (below) on the Android TV bug.

Android TV is Google’s Android OS modified for TVs and digital media players. The whole Android TV experience differs from Android mainly through its interface, which focuses a lot on voice search and content discovery. While we don’t hear very often about Android TV and the updates Google has planned for the OS, the internet giant did announce Android Pie for Android TV back in Google IO 2018. Other than that, there really isn’t all that much you can do with a TV, other than consuming content.

However, somewhere along the path of content discovery, we may have accidentally discovered too much “content”. A newfound bug in Android TV and the Google Home app has allowed users to list out practically every account that is connected to an Android TV device.

As discovered by @wothadei when he tried to access his Vu Android TV device through the Google Home app, he could check out the linked accounts of a lot of users. What’s worse, personal photos linked to these accounts on Google Photos could have been easily displayed through the Ambient Mode screensaver settings, as demonstrated here:

Update: Fortunately for users, the bug stopped short of making it actually possible to display private photos from Google Photos.

The user later on reset their Android TV, which has prevented them from accessing any image on Google Photos, even their own. It is also likely that photos of strangers weren’t actually shown, and just the accounts were listed; but that by itself is a cause of privacy concern that cannot be underplayed. The TV is from Vu, runs Android 7 and has not received any security patches since 2017. The same issue does not exist on the Mi Box 3 running Android 8 Oreo, but another user has chimed in to confirm that the issue is not restricted to the manufacturer Vu, but may be related to Android TV, Google accounts or the Google Home app.

For now, there is no fix or workaround. Your account may be accessible to other users on Android TV, even if you are on a private network.

Update 1: Google’s Response

We take our users’ privacy extremely seriously. While we investigate this bug, we have disabled the ability to remotely cast via the Google Assistant or view photos from Google Photos on Android TV devices.

Google spokesperson

Update 2: Vu’s Response

Vu Televisions were recently informed about a malfunction of the Google Home App in an Android TV. After verifying the incident Vu Televisions informed Google who has confirmed it was a software malfunction of the Google Home App.

We thank our customer who brought this to our notice, and we can confirm that Google is rectifying their fault immediately.

Vu Televisions is known for its excellent and responsive customer service, and is the only television brand with an ISO 9001 service center.

VU Team

Discuss This Story

READ THIS NEXT