[Update 2: Vu’s Statement] Bug potentially exposes other users’ private Google Photos on Android TV devices

Update 3/4/19 11:35 AM: After Google issued a response, Vu has now shared a statement (below) on the Android TV bug.

Android TV is Google’s Android OS modified for TVs and digital media players. The whole Android TV experience differs from Android mainly through its interface, which focuses a lot on voice search and content discovery. While we don’t hear very often about Android TV and the updates Google has planned for the OS, the internet giant did announce Android Pie for Android TV back in Google IO 2018. Other than that, there really isn’t all that much you can do with a TV, other than consuming content.

However, somewhere along the path of content discovery, we may have accidentally discovered too much “content”. A newfound bug in Android TV and the Google Home app has allowed users to list out practically every account that is connected to an Android TV device.

When I access my Vu Android TV through the @Google Home app, and check the linked accounts, it basically lists what I imagine is every single person who owns this television. This is shocking incompetence. pic.twitter.com/5DGwrArsco — prashanth (@wothadei) March 3, 2019

As discovered by @wothadei when he tried to access his Vu Android TV device through the Google Home app, he could check out the linked accounts of a lot of users. What’s worse, personal photos linked to these accounts on Google Photos could have been easily displayed through the Ambient Mode screensaver settings, as demonstrated here:

Update: Fortunately for users, the bug stopped short of making it actually possible to display private photos from Google Photos.

Oh my god. Private @googlephotos of strangers are being shown to me in the ambient mode screensaver. SERIOUSLY WHAT THE FUCK?! @Google @GoogleIndia pic.twitter.com/VbMmb3B2Qp — prashanth (@wothadei) March 3, 2019

The user later on reset their Android TV, which has prevented them from accessing any image on Google Photos, even their own. It is also likely that photos of strangers weren’t actually shown, and just the accounts were listed; but that by itself is a cause of privacy concern that cannot be underplayed. The TV is from Vu, runs Android 7 and has not received any security patches since 2017. The same issue does not exist on the Mi Box 3 running Android 8 Oreo, but another user has chimed in to confirm that the issue is not restricted to the manufacturer Vu, but may be related to Android TV, Google accounts or the Google Home app.

For now, there is no fix or workaround. Your account may be accessible to other users on Android TV, even if you are on a private network.

Update 1: Google’s Response

“We take our users’ privacy extremely seriously. While we investigate this bug, we have disabled the ability to remotely cast via the Google Assistant or view photos from Google Photos on Android TV devices.” Google spokesperson

Update 2: Vu’s Response