According to Prashanth, the bug reared its ugly head on his own Vu-branded Android TV. While setting up a screensaver, the account selection page showed hundreds of unknown Google accounts. Each complete with profile pictures and showing up as linked accounts.
— Prashanth (@wothadei) March 3, 2019 Specifically, the bug gave him the ability to link random Google Photo accounts on his TV. Although selecting any of the accounts does not show the users’ private photos, this is nevertheless still a major breach of privacy. Prashanth had tried to replicate the bug on a Xiaomi Mi Box 3 running Android Oreo, but was met with failure. That said, It should be noted that Prashanth’s Vu TV was running on an older Android 7.0 Nougat OS. That had not been updated since December 2018.
But while Prashanth wasn’t able to replicate the bug, that doesn’t mean Android TV systems running on a more recent Android OS was safe from the bug. According to a second Twitter user by the name of Aarjith (@aarjithn), he reported the bug as present on his iFFalcon TV, which was running on Android 8.0 Oreo. Google’s response to the issue has been to disable Photos for Android TV and the ability to remote cast via Google Assistant. At the same time, Google has not announced or released a fix for the issue. (Source: Android Police, Images: Twitter (1), (2)