Imagine you’re setting up your Android TV to display pictures of your cat, or your kids, or your main squeeze, in Backdrop/Ambient Mode.
But instead of photos of your trip to Belize, you see a parade of strangers: as in, Google accounts belonging to people you don’t know, including their profile pictures, all showing up as linked accounts.
That’s what happened to Twitter user Prashanth, who on Saturday posted a 44-second long clip of the accounts that streamed by when he was trying to access his Vu Android TV through the @Google Home app on his phone:
prashanth (@wothadei) March 03, 2019
Fortunately, the strangers’ photos stayed tucked away, given that access to the photos themselves was blocked. In fact, Google Photos functionality didn’t seem to be working.
Prashanth told Android Police that he first spotted the bug on his home TV, a 55-inch Vu LED TV (model number: 55SU134) with built-in Android TV functionality, while setting up Backdrop/Ambient Mode through his Pixel 2XL phone.
He said that he double-checked the glitch by signing onto the TV with his wife’s Google account. It again showed the list, except this time Prashanth also spotted his own name and profile picture.
He couldn’t replicate the bug on his other Android TV, a Xiaomi Mi Box 3 running Android 8.0, Oreo. His Vu TV was running an older operating system: it was on Android 7.0 and hadn’t received any security updates since December 2017, though Prashanth had manually checked for them. According to Android Police, the website where he bought the TV says that its current operating system is Oreo, which suggests that the over-the-air update never arrived.
The old kick-the-TV trick
Google initially responded to Prashanth by suggesting he contact the TV manufacturer:
Made by Google (@madebygoogle) March 03, 2019
… A suggestion that drew the “nope, it’s not the TV” response of another user, who confirmed the same bug, this time on an Android TV-equipped set by TCL-subsidiary iFFalcon (model number 32F2A).
Aarjith Nandakumar (@aarjithn) March 03, 2019
No more pics on Android TVs until this bug is dissected
Google thanked Aarjith Nandakumar for the additional details and, this time, said that it’s looking into the possible privacy breach. In the meantime, it’s disabled the ability to remotely cast via the Google Assistant or to view photos from Google Photos on Android TVs:
Made by Google (@madebygoogle) March 04, 2019
Vu Technologies sent this statement to Android Police:
We were recently notified that there was a malfunction of Google Home App in some of the Android TVs. After verifying the incident we have informed our customers that it was not an issue of Vu Television but it was software malfunction of the Google Home App. We take your privacy very seriously. Vu has a long-standing commitment to protecting the privacy of the personal information that our customers entrusts to us.
Source : Naked Security