An Android TV user based in Chennai, India, has made a disconcerting discovery. While flipping through the settings for his Android TV-based Vu TV on his Google Home app, @wothadei noticed that the “Linked Accounts” section showed way more linked accounts than one would normally expect. Though it’s hard to be certain based on just looking at his screen recording, the number of accounts listed could easily be in the hundreds, if not thousands.
What’s more disturbing is that these same accounts were available to him when he entered the Android TV ambient mode settings, then jumped into the Google Photos option. Each one had a selectable toggle, and could be turned on or off. There’s no evidence that he was able to actually see photos belonging to these other Google account holders, which may mean the glitch didn’t go so far as to reveal private photos from one Android TV account to another. Still, it’s a little worrisome.
We did our own checking to see if we could replicate the bug, but our Google Home app,which is connected to an Nvidia Shield TV with the latest Android TV build, didn’t show anything out of the ordinary. For its part, Google has already dedicated resources to tracking down the source of the mysterious linked account bug, telling the original user that “we wanted to let you know we’re looking into this. We take any report like this very seriously, so in the meantime, we’re disabling Google Photos for Android TV and the ability to remotely cast via the Google Assistant.”
It’s also possible that the bug is a localized problem. As the list of linked accounts scroll by in the video posted by @wothadei, a significant number appear to have Indian names.
Officially announced in June, 2014, Android TV is Google’s TV-based version of its popular mobile operating system. Though there have only been scant reports of security issues, devices running Android TV have access to the Google Play Store for downloading apps, games, and other content. That online store has been the subject of several security concerns in the past, forcing Google to take special measures to bolster users’ confidence. One such move was to introduce Google Play Protect, which the company partially credits with the removal of more than 700,000 “potentially harmful apps,” or PHAs.