A vulnerability in the web version of Google Photos allowed websites to learn a user’s location history based on the images they stored in the account. The flaw affected the Google Photos search endpoint that allows users to quickly find pictures based on aggregated metadata, such as geo-location and date of creation. A browser-based timing attack that takes advantage of how the same-origin policy (SOP) typically functions in browsers could help an attacker determine a user s location or travel history.
Source: https://www.bleepingcomputer.com/news/security/google-photos-bug-exposed-the-location-and-time-of-your-pictures/