Picture this: you're setting the screensaver on your Android TV to show pictures from your Google Photos account, but wait — the account selection page shows hundreds of unknown Google accounts, complete with profile pictures, all showing as linked accounts! This is exactly what happened to at least two Android TV users, on television sets from Vu and iFFalcon (a subsidiary of TCL).
Left: A blurred-out list of hundreds of Google accounts. Right: We spotted some generic accounts like "Testing Account" and "Vu Technologies," the name of the TV manufacturer.
Twitter user Prashanth first spotted this bizarre bug on his home TV, a 55-inch Vu LED TV (model number: 55SU134) with built-in Android TV functionality, when setting up Backdrop/Ambient Mode through his Pixel 2XL. He could see a seemingly endless list of accounts that were apparently linked to his — though selecting the accounts didn't actually show him those users' private photos, as the Google Photos functionality didn't seem to be working.
Left: The Vu TV running Android 7.0. Right: The model number of his TV
Prashanth was kind enough to share more details about the incident — he signed into the TV with his wife's Google account to be greeted with the same list, except this time he could spot his own name and profile picture in it. The bug couldn't be replicated on his other Android TV, a Xiaomi Mi Box 3 running Oreo. It should be noted that the Vu TV in question still runs Android 7.0, with no security updates since December 2017, despite him manually checking for updates. The literature on Flipkart (the site through which he bought the TV) currently mentions Android 8.0 Oreo as the operating system on the unit, so it looks like that OTA update didn't push to his TV.
Reaching out to Google support on Twitter resulted in them suggesting Prashanth contact the TV manufacturer instead — not an ideal response if you ask me, especially since another user confirmed the self-same bug, this time on an Android TV-equipped set by TCL-subsidiary iFFalcon (model number 32F2A).
The second user with this problem, Aarjith, has a TV running Android 8.0 Oreo, with a security patch from August 2018, so it doesn't look like having an old version of Android TV is what caused the bug.
We reached out to Google, VU Technologies, iFfalcon, and TCL for comment. A Google spokesperson said:
"We take our users’ privacy extremely seriously. While we investigate this bug, we have disabled the ability to remotely cast via the Google Assistant or view photos from Google Photos on Android TV devices."
Probal Bose of Vu Technologies PVT LTD said:
"We were recently notified that there was a malfunction of Google Home App in some of the Android TVs. After verifying the incident we have informed our customers that it was not an issue of Vu Television but it was software malfunction of the Google Home App. We take your privacy very seriously. Vu has a long-standing commitment to protecting the privacy of the personal information that our customers entrusts to us."
The bug has been squashed for now, though at the cost of reduced functionality for all Android TV users. I shudder to think of what someone with nefarious intentions may have been able to sniff out had this gone unchecked, and hope that down the line, Google provides a satisfactory explanation about how this could have taken place.