Google Blogoscoped

Friday, February 27, 2009

Picasa Privacy Oddity

Odd. I recently searched Google Images for site:ggpht.com and, after some more operator adjustments, was able to retrieve several large pictures of a Picasa album set to “sign-in required to view” (Google stores the images at e.g. lh4.ggpht.com, perhaps short for Picasa project name “Lighthouse” and “Google Photos,” respectively). While the images might have been public or unlisted-but-linked before, which would explain why they were indexed in the first place – making this a relatively harmless case – this goes to show that not password-protecting a sign-in locked album’s image URLs themselves is still not as utterly-security-obsessive as could be (which is noteworthy considering Picasa Web Album’s mixed privacy history of the past).

The album images in question are not available anymore via above method. I alerted Google Security to this on January 7, but don’t know if they fixed the issue (there was no response to that regard after the templates).

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!