Smugmug Private Photos are for Anyone to See

January 28, 2008  |  , , , ,

SmugMug

Apparently the popular photo sharing site Smugmug has a huge security hole that could allow anyone with a bit of common sense to access private photos on Smugmug. The basic problem here is that Smugmug uses URL’s for public and private galleries in a way that can be easily guessed. And whats even more shameful is that the people behind the site are aware of this issue, but they seem to be too keen to say that this is intended behavior.

If seeing private photos via publicly accessible URL’s is what you call intended behavior then I have nothing else to say to the Smugmug team..

Let me take an example here, when I typed in http://www.smugmug.com/gallery/1021 into my browser, i was looking at a collection of photos that were perhaps not meant for people like you and me to have a peak at. Ofcourse Smugmug has other features like password protection, but I’m sure that most users would take password protection as an added trouble in making photos private. They probably think that by marking them as private, no one else except them could see it. But things don’t work that way at Smugmug.

This hole was discovered by Google Blogoscoped and here is what the CEO of Smugmug Don MacAskill had to say to Google Blogoscoped :

…we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).

At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question.

But the URL’s that Smugmug generates for their private photos can easily be guessed and anyone who’s got a little bit of common sense could figure it out and look at photos they aren’t supposed to be seeing. A possible alternative for Smugmug would be to use URL’s like the ones Flickr uses that is based on the GUID of the image.

Have a look at these URL’s (these are private photos):

Things clearly aren’t looking good for Smugmug here. Someone could develop a bot that would download all private images from Smugmug and put it for everyone else to see, something that happened recently with Myspace.

Via Google Blogoscoped

Bookmark and Share
 
Tags: , , , ,

  • Enrico
    Just subscribed to smugmug, noticed the same problem and looking through the net for a solution.
    I guess it is quite easy to solve: create galleries that are accessible just by the owner when he's logged in.

    Smugmug is offered even as photo archive and I NEED to archive pictures that I don't want anyone to see, ever.
    It's just that easy. What better privacy access than my private login to ensure that this galleries are safe?
  • mikeren
    Forget photographic security with smugmug.Anyone can bypass their weak security and ive had it shown to me.
  • marie
    how do you do bypass the security?
  • Hi, I'm from SmugMug. You had stated "Have a look at these URL’s (these are private photos):" and "when I typed in http://www.smugmug.com/gallery/1021 into my browser, i was looking at a collection of photos that were perhaps not meant for people like you and me to have a peak at. Ofcourse Smugmug has other features like password protection, but I’m sure that most users would take password protection as an added trouble in making photos private. They probably think that by marking them as private, no one else except them could see it. But things don’t work that way at Smugmug."

    I just wanted to point out that this is a public gallery, accessible to anyone who searches or visits SmugMug, or who finds it via Google or other search tool.

    SmugMug customers have lots of security and privacy options.
    1. Total lockdown: site password, private and password protected galleries, and locking down the galleries from any indexing by search engines.

    2. Middle ground: I have no fence around my home, you can see my yard, through open windows if I have left the drapes open. I can also have a secret shed around back, with a lock on it. This would be a SmugMug customer who has a homepage accessible to the public, and some galleries open (public) and some galleries behind a curtain (private) and some out back in shed (locked!). An example would be my site http://www.moonriverphotography.com You see a few galleries when you click on my galleries tab, but in fact I have hundreds. Some private, some locked :) Client photos of mine that I do not want anyone to see, ever, but the client, are in a locked gallery, not indexed by Google, and the gallery doesn't allow any external links.

    3. Doors and windows open: The site is totally open. Go and see anything you like. But even here, customers can choose to have say, individual photos hidden within a gallery, can have sizes blocked (like originals maybe) or have external links on or off, their choice.

    Our customers can mix and match these various security and privacy options. We think having a choice is good.


    Our help pages explain it really well,
    http://www.smugmug.com/help/private-search-island
    http://www.smugmug.com/help/private-albums
    http://www.smugmug.com/help/private-photo-storage

    and anyone who wishes to contact us and talk about it, shoot an email to us:
    http://www.smugmug.com/help/emailreal

    All the best,

    - Andy
  • You actually do not need a bot to download all pictures, just a Firefox extension called Batch Download. I've written an article explaining the process.

    http://www.ghacks.net/2008/01/28/batch-download-pictures-from-sites-like-smugmug/
  • ub00t
    did the same, was entering same site as mentioned above, nothing wrong, could buy pictures of a party, if I´d like....

    Whats wrong bout that?
blog comments powered by Disqus