A few days ago, my colleague and I stumbled upon something that freaked us out. We both are IT folks and wannabe security experts. We are basically very paranoid folks when it comes to how we access, share and communicate on the web. Perhaps this is how we were shocked at what we stumbled upon the Google Hangout as we use it often to chat and communicate. After all, Google Hangouts are encrypted and secured right. Well, yes, technically,so we thought.
We discovered that all images shared via a Google Hangout Chat are not private to the parties on the hangout/chat! It turns out, anyone can view any images you share via Hangout without any sweat. This is the proof;
- From your Gmail, Pop our Hangout and Start a Hangout Chat with a friend. Share an image with them either as an Upload Image from Computer (works as well for image stored in Drive, photos to and send to the other party
- The person can preview the image through the Hangout or can click on the image to view the full image in a new tab/windows image.
- The link Opens in New tab/Window.
- Copy the Image URL and Open a New Browser/InCognito/Private session and paste. You are able to view the Image. Which means, the private image you shared in via Google Hangout is actually available publicly and anyone with sufficient aknowldge of URLs can view your images.
(We tested this on both consumer Gmail/Hangout and G Suite Hangout with the same result.)
Naturally we tested this theory a few more times and proved to be true. So we reached out to Google through the Google Vulnerability Reward Program and reported the issue convinced it was worth looking into. After a few days, we were made aware that this is not a security issue at all! We were told that this was not a security bug but basically how Google Hangout Works
We?ve investigated your submission and made the decision not to track it as a security bug.
A Google Hangout Chat Source; http://images.techtimes.com/data/images/full/248481/google-hangouts.jpg
Naturally we were upset that the product and company we love so much did not see any issue with my private images I shared through their platform being made public. Even for Google Drive and Photos, all documents shared are private to the user and anyone he/she chooses to share with. Even if I share a link with you without giving you access, you basically would not view by files in Google Drive/Photos. Why this would but different for Google Hangouts, is a mystery to us as is to you. I hope Google fixes this as I will not be sharing any sensitive images via Google Hangouts anytime soon!