Android TV bug may have exposed private user photos

By Eric Abent/March 4, 2019 2:47 pm EST

Things have been relatively silent on the Android TV front lately, but today, the platform is forcing itself back into the spotlight. Unfortunately, it's not good news we're hearing, but rather reports of a serious-sounding bug that's potentially exposing the private photos of Android TV users. At the very least, the bug is causing Android TV and Google Home to show lists of Android users where they shouldn't be, which is bad enough.

The bug was first revealed by Twitter user @wothadei over the weekend. He says that when accessing his Vu Android TV through the Google Home app, he was showed an extensive list of "linked" accounts. "It basically lists what I imagine is every single person who owns this television," he said in a tweet to Google. "This is shocking incompetence."

When I access my Vu Android TV through the @Google Home app, and check the linked accounts, it basically lists what I imagine is every single person who owns this television. This is shocking incompetence. pic.twitter.com/5DGwrArsco

— prashanth (@wothadei) March 3, 2019

Things got more alarming from there. When selecting a linked Google Photos account to use with Ambient Mode slideshows, wothadei was again presented with a long list of presumed Android TV users, each of them with a toggle next their names. This, of course, suggests that you'd be able to view another user's private photos through Android TV's slideshows, though wothadei said later in an exchange with Google that he wasn't able to get anyone's Google Photos – not even his own – to show on his TV.

So, at best, it seems this Android TV bug lists other users as linked accounts in the Google Home app, and at worst, it potentially exposes private photos. In a statement to XDA Developers, Google said that it takes privacy "extremely seriously" and that it has disabled this feature while it investigates reports.

We take our users' privacy extremely seriously. While we investigate this bug, we have disabled the ability to remotely cast via the Google Assistant or view photos from Google Photos on Android TV devices.

We'll see where things go from here, but there are definitely a lot of questions about the scope of this bug left to answer. Stay tuned, because we'll update you if Google serves up anymore information about this bug and what it may have potentially exposed.