Whoops! It seems there was a bug in the Android TV function that allows you to set your screensaver function to show your Google Photos, a reasonably serious bug that (given the right circumstances) allowed other users to view your photo stream.
When I access my Vu Android TV through the @Google Home app, and check the linked accounts, it basically lists what I imagine is every single person who owns this television. This is shocking incompetence. pic.twitter.com/5DGwrArsco
— prashanth (@wothadei) March 3, 2019
The tweet above shows what the user was greeted with when trying to setup the ambient mode screensaver, hundreds and and hundreds of Google accounts that he seemingly had availability of photo streams from. Fortunately the photo streams didn’t work, so perhaps Google knew of this already and were working on a fix?
Following the Twitter conversation, Google’s response was to check in with the TV manufacturer. Android Police has already done the legwork in contacting the TV manufacturer and Google about the potential for privacy breach with this bug getting the following from Google
“We take our users’ privacy extremely seriously. While we investigate this bug, we have disabled the ability to remotely cast via the Google Assistant or view photos from Google Photos on Android TV devices.”
and this from Vu Technologies:
We were recently notified that there was a malfunction of Google Home App in some of the Android TVs. After verifying the incident we have informed our customers that it was not an issue of Vu Television but it was software malfunction of the Google Home App. We take your privacy very seriously. Vu has a long-standing commitment to protecting the privacy of the personal information that our customers entrusts to us.
Which is interesting given Google’s initial response, but it’s comforting to know that the issue has been resolved and photo streams re-enabled.
What’s more disturbing is how this happened in the first place.