Monday, January 28, 2008

SmugMug’s Private Pics Are Public

There’s a massive privacy hole over at photo hosting site SmugMug.com. The site claims to have over 270 million photos, and as I’ve failed to convince the site makers this vulnerability is worth fixing, I’m posting it here now as a warning: you must set photos you want to keep fully private to be password protected, too, not just private... and even then, we’re not fully sure it will cover all cases, though in my test that did the job. Co-editor Tony Ruscoe and I first noticed SmugMug’s photo saving scheme when pics of Google employee and SmugMug user Niniane Wang were popping up in RSS aggregator Friendfeed.com. Niniane was shocked when I told her about the security issues at the site, especially the fact that SmugMug doesn’t fix this.

To explain what’s happening so you can judge for yourself if this is worth fixing, here’s how SmugMug saves galleries and photo sources: they simply iterate the same number (ID) in the URL. You can use a user name as sub-domain or just write “www” and it will both work. Like these gallery URLs, which are public or “private”:

http://www.smugmug.com/gallery/1000
http://www.smugmug.com/gallery/1001
...
http://www.smugmug.com/gallery/4210001
http://www.smugmug.com/gallery/4210002
etc. ...

Or these partly public, partly “private” photo sources:

http://www.smugmug.com/photos/10000-M.jpg
http://www.smugmug.com/photos/10001-M.jpg
...
http://www.smugmug.com/photos/247000001-M.jpg
http://www.smugmug.com/photos/247000002-M.jpg
etc. ...

Tech blogger Andy Baio, who I asked for a comment on this, put it this way: “Oof, that’s awful. And it’s unbelievable that they don’t realize that it’s a security hole.” He added, “Smugmug’s users deserve to know their private photos aren’t private, and as soon as possible.” It took Andy only 15 seconds to launch and configure a Firefox download manager extension of his to start downloading 10,000 partly public, partly “private” photos of good resolution (10,000 being an arbitrary limit he picked, as he could have downloaded more). In my own tests of downloading just private galleries, I saw many mundane photos like vacation pics or animals, but also rarer pics of people skinny dipping, posing in the bed room with lingerie, modeling for artistic nude photos and so on. (And whatever you may think of these subject matters, their owners apparently tried to set them private for a reason.)

Now, SmugMug says they want to keep these private gallery URLs shareable, so that’s why they are still public in some way, and that they just don’t get linked from the homepage. But anyone with user security in mind will know that you can’t just iterate a predictable number if you want to keep these URLs even remotely safe – you would need to use a randomized string (GUID) for saving... something along the lines of the following (the specific length needed is debatable):

http://smugmug.com/gallery/20080128-ewi23wqo23sdjisdoi2w

At the moment, pictures which are not set to password protection but are clearly set to be private – even if other help labels explain that it’s just supposed to keep photos from showing up on the user homepage, the setting name is “public yes/ no” and the gallery will be labeled “private” if you activate this (see red font in screenshot below) – are public. You can’t directly see all the private pics knowing a specific user name (as that would require you to first download all galleries of SmugMug), but you can still grab thousands over thousands of random private pics.

Talking to some SmugMug users, I found out that some realize “private” pics aren’t really hard to find and that they made use of the password protection, while others were surprised that one could find these pics.

Failing to convince SmugMug this is an issue worth fixing

When I emailed SmugMug support to alert them of this issue, they got back to me to tell me this is “expected behavior” in order to keep galleries shareable. Which would still be the case if they were using GUIDs, except then the galleries wouldn’t be shared with the whole world, potentially! I was stuck in a long thread with them trying to convince them. Here are some of their answers – from their first reply:

Thanks for writing. This is expected behaviour. A private gallery just means that that gallery will not show up on your Smugmug homepage but it is accessible by knowing the direct URL to it. You do have the option of turning off external links so that no one can link to an individual photo. You may also password protect galleries so that no one can access them without a password.

After two more emails of mine, their second reply:

This is correct and is how private galleries work. A user needs the access key (the specific URL) in order to access the gallery or image within the gallery but that gallery will not be visible on your Smugmug homepage.

By now, I was talking to another support person already, and he even told me he’d escalate it to reply. Here’s some of what he said:

The photos you see in the manner below are public – ANYone can find it by search and browse :)

I told the support person that while he was referring to public photos, which indeed do pop up in the same matter, the issue was that private photos pop up as well! Writing again, I get this reply:

“Private” means it won’t be on the homepage. If you want them to not be found in this manner you describe, then you set SmugIslands to “no” and you can set a gallery password, or site password, in addition to disabling originals, and external links.

I continuously asked SmugMug for confirmations that all this is expected behavior, and was always surprised when they emphasized it is. By now, I really tried to go from support to CEO though. I told them that they should call their boss, that they should use GUIDs, that I was preparing a blog post on this, that one could see e.g. “private” galleries of people skinny dipping, that they should hire a security consultant and so on. After some time, here’s what the SmugMug CEO Don MacAskill replied:

I’m the CEO & Chief Geek at SmugMug, and I’m terribly sorry this is so confusing. Security & privacy are huge issues here at SmugMug, and we take them very seriously.

First of all, we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).

At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question.

And that last sentence above is perhaps their main misconception – e.g. Andy Baio was able to download 10,000 photos, including private ones, without any owner sharing their gallery URL with him... and anyone else can do the same. Don however goes on to admit that there’s a “loophole” but says that guessing specific photos is incredibly difficult, and that in fact the problem would become smaller the more photos are getting added to SmugMug. Don also goes on to admit GUIDs would help:

I’m in completely agreement, that GUIDs would help greatly here, but I’m afraid our system wasn’t built for GUIDs, and retrofitting our code and database to support GUIDs would be an extremely expensive proposition.

Don said that it’s not necessarily that they’re not willing consider doing it, but that mine is the first “request” he’s seen in years to fix this (SmugMug exists since 2002). Don also mentioned he wanted to look into other (unspecified) issues in the future but it became very clear SmugMug doesn’t consider the main issue I brought up with them currently worth fixing. Later in the mail Don said:

You are, of course, free to blog about our settings – we’re very open about them and what the tradeoffs for the various options are. In fact, if you let me know about it, I’m likely to link to it from my blog. We’re also very open to change – nearly every feature, bug fix, and enhancement is driven by customer feedback, like yours. If our customers (or potential customers) asked us to adopt GUIDs because this was a bigger issue than we were aware – we would.

[Thanks Andy, Niniane, Jason, Scott and Tony!]

Update: The CEO of SmugMug, Don MacAskill, now blogged about this. Don and I remain to respectfully disagree on the core issue as I blogged above – his post title concludes that private photos are still private – so it’s probably not necessary to repeat the details of where I disagree with his points. [Thanks Don!]

Update 2: Note that as as SmugMug’s Mike Lane explains in the comments, only enabling password protection is also not enough to keep picture URLs private from people iterating IDs – you need to additionally disable the “external links” option in the security settings, and it’s enabled by default (otherwise only the gallery URL will be protected, but not the image URL itself – in my tests with a new account, that was true even when the non-public setting was used along with password protection, though different other circumstances or settings may or may not play a role here too in determining image visibility). [Thanks Mike!]

Update 3: We found out that not even photos set to non-public + password-protected + external-linking-disabled and what-not are private when using a certain different approach (this also enabled us to view a seemingly protected contest image put forth by SmugMug’s CEO). Due to SmugMug’s use of incremented IDs instead of e.g. GUIDs, these photos – which use every possible protection setting in SmugMug – can again be crawled in large numbers. Furthermore, we noticed there’s a way to show the first photo of password-protected galleries of specific users you can pick. (Other issues, like JavaScript injection, have popped up too.) We won’t disclose technical details in this post, but privately alerted SmugMug to these additional security vulnerabilities, giving them the full background. This time, CEO Don MacAskill agreed with our analysis, saying it’s “major.”

Update 4 on February 8th: SmugMug announced they’re now calling the option “unlisted” instead of “private” – see new interface for creating galleries – and they’re also appending a key to new URLs to solve the problems of photo IDs being easy to iterate. All old photo galleries on the other hand will remain insecure as outlined above (unless the user e.g. moves them into a new album).

SmugMug’s Private Pics Ar ... by Philipp Lenssen | Comments (123)

>> More posts

Advertisement