That was monumentally stupid. Security/privacy by obfuscation (GUIDs) is no security at all but a predictably incrementing ID number? I agree that retrofitting the system to use GUIDs is a bit hard but they should've considered it in the first place since it's a very small investment that would make browsing private pics extremely harder.

Hey Philipp,

i totally agree with you: This is a high grade problem. And the only way to solve this issue is by the users. Most other companies would have changed that ASAP as it's a massive lack of privacy – a problem that could result in judicial hassle.

I think there's a discrepancy of information between the CEO (a non-tech?) , the support team and the developer team. Every passably skilled developer would understand about that.

Best Regards,

Stefan

As Philipp mentioned, it took me about 15 seconds to generate a gallery of images using FlashGot's "Build Gallery" feature. From there, I found private photos of a naked man taking photos of himself in a bathroom, candid photos of a couple from what appeared to be a vacation or honeymoon, and a topless pregnant woman. It was easy to then identify the username of the uploader by removing the "www." from the image URL, which then redirected to the user's subdomain.

This is the kind of security hole that could ruin lives. Don and the SmugMug crew are clued-in guys, so hopefully, they'll realize the gravity of this situation and change it immediately.

If a person is dumb enough to post personal pics of themselves or family members on the web they get what they deserve. Wake up!
Do not post pics you would not want to world to see on the net, stupid!

Sorry to be so harsh but use some common sense.

So basically you can download all the photos from SmugMug. If the site has 200 million photos, you'll have a lot to sift through. Just because you can download a photo, doesn't mean you can specifically download someone's private photos or know who posted a photo. But maybe I'm wrong.

Let's say I find this picture:
http://www.smugmug.com/photos/59000759-M.jpg
Can you find information about it?

it.s a user named kbatts on an orlando spring break during 2006
http://kbatts.smugmug.com/gallery/1256463#59000759

It is not a private foto since you can access it through the user panel.
I guess the writer of this blog tried himself to upload some photo's, label them private and try to access them.

The way to find the user name is:

delete "www.", the subdomain will then show the user name. Delete everything after ....com/ and you will access the public userpage of that person.

Ionut: I can't go find a specific user's private photos right now, but it only takes one dedicated person to write a crawler that scrapes each photo ID (as I described above) to determine the privacy level, gallery ID, and username. Obviously, it'd take time to get through all 200M photos, but it only needs to be done once.

Also, note that the a 17GB torrent of the 567,000 private Myspace photos is currently the #12 most popular torrent on the Pirate Bay:

http://thepiratebay.org/top/all

John: I think you're wrong. People upload photos to the web for personal use (keeping a safe backup) or for sharing with family members or a significant other, and their expectation of privacy is completely reasonable. It's not fair to say that people shouldn't post private photos online, especially as everything moved into the cloud.

oeroek:
I see. If you can associate any photo with a user(name) then it's pretty bad.

I did associate the foto of ionut with a username, read my post above.

Philipp and I also noticed oeroek's trick to finding out which user the photo belongs to. (This doesn't always work for some reason.) I'm not sure whether Philipp intentionally didn't explain that in the post or not though.

From Philipp's post:
<<In my own tests of downloading just private galleries...>>

And how do you download private galleries? Do you need to download all the photos first?

The way Google do it, with e.g. "private" URLs for Google Calendar feeds is to use a random (unguessable) URL that can also be reset, so you can invalidate all existing URLs. (This is all over HTTP, so it's not bulletproof, but you can "manually" change the scheme to https.)

I can't remember the exact details, but I think Flickr used to have a similar "problem"; the Public/Private FAQ says that since 2007-04-20, changing the privacy level also changes the URL. (I think that previously, the URL didn't change, only whether the photo would be linked from other pages.)

On a side-note, Google's Picasa Web Albums had a similar issue in the past, though their's was much weaker in effect for different reasons – like the distinction in terminology as they didn't call it "private" but called it "unlisted" --, and they finally listened to the criticism and changed their system to use GUID-style URLs. http://blogoscoped.com/archive/2006-10-07-n48.html

The conversation were having here is amazing similar to the one that we had when PicasaWeb first came out.

John: I'm one of those people that post family pics online. It's a calculated risk that I'm willing to take to provide relatives with pictures of my family. On the other hand, if I set my album to private, I certainly expect some level of privacy, namely that you can't just guess my album name and presto your in.

Full disclosure, I work for SmugMug. I happen to live in the UK at the moment and I'm assuming that those in the US aren't quite up yet so I thought I'd go ahead and post some specific responses as best I can now rather than wait for several hours for the USA folks to start their days. FYI, I started out on the help desk and I've since moved into doing some of the web designing while keeping up a short help desk shift each week (as everyone else in the company does).

Now, just out of curiosity, I've got three private, non passworded galleries on one of my SmugMug sites (my infant son's SmugMug site). Can someone post a link to one of them using a crawler?

From my perspective it seems as if our main problem is that we haven't communicated what users can expect from our various privacy and security settings well enough. There are some, as Philipp mentioned in his article, that understand that setting a gallery or an image as private does not prevent anyone from actually seeing it. There are, however, those that clearly do not understand this and that this is intentional. If this were made clearer somehow, would this be as big of a concern?

I just want to reiterate that you can lock down your photos on SmugMug so that you can prevent your photos from being seen at all. Philipp's post seems to give the impression that the measures we've taken are probably not secure which simply isn't the case.

This story on digg: http://www.digg.com/security/Massive_privacy_hole_over_at_photo_hosting_site_SmugMug_com

"I've got three private, non passworded galleries on one of my SmugMug sites (my infant son's SmugMug site). Can someone post a link to one of them using a crawler?"

I don't know, but that's just not a main issue with this hole. The main problem is not your friends finding your private galleries, but the fact that people with bad intention can browse users' private galleries on a massive scale and that post their naked or embarrassing photos somewhere else on the web.
And I think it makes it more, not less, serious.

Ludwik, okay so the issue, again, is that people simply aren't aware that this is possible. If you password your naked or embarrassing or whatever photos (which we highly encourage) or take other steps we offer, then this can't happen. You can make it so nobody can find, see, or post your SmugMug images elsewhere with other gallery settings.

So this is more of a communication issue than a security issue. Am I wrong?

<< If you password your naked or embarrassing or whatever photos (which we highly encourage) or take other steps we offer, then this can't happen. >>

Mike, do you only need to password protect them or also switch off the public option?

(BTW, I think was able to find your son's galleries just by doing some guess work – but armed with that knowledge and a crawler, I guess it *may* be possible to find those private albums...)

Tony, no, you do not need to also switch off the public option, though you may if you so choose. Setting a password will prevent crawlers from seeing the gallery, it will prevent unauthorized access (with a strong enough password of course), and it will prevent images from being linked externally. All of those things are true if the passworded gallery is public or private. Lots of people (wedding and event photographers for example) have public passworded galleries so that only their clients can see them.

Mike: Do the image URLs change to a non-sequential format when the password's set? Can you post an example of the protected image URL?

Give me a second to set up a passworded gallery...

A Digg user by the name of Lanemik (identified as Mike on the profile page) writes:

<<Those posting images on SmugMug can make it so nobody can find, see, or post them anywhere else on the internet if they choose to do so. This blog post neglects to give details on SmugMug's security features which makes it less than balanced or fair.>>

A Digg user by the name of GrannyRobin says:

<<My understanding is that this [blog post] is inaccurate and doesn't tell the full story.>>

I forgot I already had one. Okay first go here: http://mikelane.smugmug.com/gallery/2668839

Now, obviously I'm not overly concerned with the security of that gallery, so the password I set is clearly not a secure one. What's more, I up and tell you what the password is right there in the hint. I can set the hint to be whatever I want, in this case I told you the password. I think I was just messing with settings or testing things out at some point, I don't really remember.

In any case, feel free to go into the gallery with the password and have a look at the two images. The urls for the two images are like any other SmugMug url. When you paste the image url into your browser it won't show up (unless it is in your cache from viewing the gallery just now, that's important) because I set the external linking to no.

So even if you were to crawl the URLs, you would come to those and not see anything. This is true even if you do not have a password set and you have external links set to no. If you crawled the gallery id and found the gallery I linked, you'd have to enter a password to see it.

Hi Phillipp, lanemik is obviously my Digg username. I'm not much for anonymity.

Mike Lane:

> Setting a password will prevent crawlers from seeing the gallery, it
> will prevent unauthorized access (with a strong enough password
> of course),and it will prevent images from being linked externally.

Thanks for testing this. So – just to confirm – there's absolutely no way that photos in password protected galleries can be viewed without entering the password? (Or is there a way to configure certain options to allow this if the user wanted to do so...?)

That's where the "chief geek" gets things wrong: "Only people you’ve shared this URL with can find the gallery and/or photos in question."

Nope... anyone can find the photos in question.

Hi Tony, no problem. It is possible to see photos using URLs even if they are in password protected galleries *unless* you set the external link option to no. I may not have made that clear enough in a previous post. If not I apologize.

If you've got pictures that you really don't want people to see, put them in a password protected gallery and set external linking to no. This will prevent people from seeing the images when crawling the image URLs and it will prevent people from seeing the gallery when crawling the gallery URLs.

Unfortunately, Philipp didn't mention this in his post.

I agree, this is bad and should be fixed ASAP.

fernando:

as mentioned above (when mike lane challenged anyone to find his infant sons photos, and no one could), you can't just pick a user and find their private galleries. If you think you can, do it. What you can do is find random private galleries, which people have said could lead to embarrssing or blackmail-ish behavior – heres a hint – if it is something that someone could BLACKMAIL you with, why dont you put a password on it?

The real use that private galleries have (that no one seems to realize, construing that you should use them instead of passworded galleries), is that you want to upload some random photos – say you have a serious professional photography site, and you have some photos from a family gathering. You don't want you clients clicking through your site seeing them, so you upload the gallery as private – so it wont show up on your page.

It is that simple, and people are being pretty ridiculous about it.

Would hashes for urls be better? Sure. Are they needed? No. If you want something to be non-accessible, password it.

Though possibly if you are getting nude photos, there could be more education on the user end...

Also, whoever posted this to Digg is an idiot. 'Massive security hole'? This is intended behavior. There is no 'hole'. The myspace hole was a hole – images that were supposed to be available only to your friends weren't – this is nothing like it.

(and no, I do not work for smugmug.)

> If you've got pictures that you really don't want people to see, put them
> in a password protected gallery and set external linking to no.

And that's how people are getting into the situation where they *think* they're making their photos private but they didn't complete all the necessary steps.

> Unfortunately, Philipp didn't mention this in his post.

I think it's more unfortunate that SmugMug doesn't really make this clear.

Even if nothing else is done, clearer instructions are definitely needed.

> Even if nothing else is done, clearer instructions are definitely needed.

Yup, Tony, that's what I was getting at in my first post when I said: "From my perspective it seems as if our main problem is that we haven't communicated what users can expect from our various privacy and security settings well enough."

The question I asked then, and I'll ask again, was if this [the settings required to make it so your photos can't be seen even by crawling the urls] were made clearer somehow, would this be as big of a concern?

daniel patterson :

> If you want something to be non-accessible, password it.

And if that was all that's required, that would be fair enough. But now it seems you actually have to password it *and* switch off another option.

Has the "external linking" option been cropped out of this screenshot? I can't find it:

http://blogoscoped.com/files/smugmug-public-no.png

Tony: No, it's "ext. links:" and it's 3 down from "public:"

Wow, this seems blown way, way out of proportion. If a Smugmug user needs security, he can set a password. If he needs privacy, he can make a gallery private and remove any link to that gallery from his site. Additionally, he can remove all breadcrumbs so that nobody would ever know the photos were his.

I use Smugmug. I use passworded galleries for very personal photos and private galleries when I don't want a gallery directly linked off my homepage. This just seems like the author aas digging for an exciting story and decided to completely ignore the password option.

Thanks Mike. I see it now. (I thought it said "show external links".) Is that option switched on or off by default?

George, this statement is completely inaccurate:

> This just seems like the author aas digging for an exciting story
> and decided to completely ignore the password option.

I'm quoting directly from the blog post:

<< I’m posting it here now as a warning: you must set photos you want to keep fully private to be password protected, too, not just private... >>

<< At the moment, pictures which are not set to password protection but are clearly set to be private [...] are public. >>

<< Talking to some SmugMug users, I found out that some realize “private” pics aren’t really hard to find and that they made use of the password protection, while others were surprised that one could find these pics. >>

External links are on by default Tony. You can, however, make a custom gallery setting that will turn them off (and adjust the other settings as well). When you create a gallery you can then set it to use your custom gallery setting so you don't forget anything.

> External links are on by default Tony.

Then I think the problem here is that whilst the average (or even below-average) user will definitely understand what password-protection is, they may not really understand what external linking is and know whether to switch it off.

And to answer your original question:

> From my perspective it seems as if our main problem is that we
> haven't communicated what users can expect from our various
> privacy and security settings well enough. [...] If this were made
> clearer somehow, would this be as big of a concern?

I think the obvious answer is no, it wouldn't have been as a big of a concern. But if my bank (for example) told me that all my details were "private" I would expect them to be exactly that, and most definitely not made available for the public to see.

I don't understand why if you have pictues that are private that you feel the need to post them on huge social media sites that millions of people try to hack on a daily basis. Talk about an extended background check.

[Irrelevant URL removed – Tony]

I think we spell out external linking fairly clearly on our help pages Tony. What I'm not so sure about is the connection between that and private and passworded galleries. IMO, it is the link between the two that has even the techy people on here confused and up in arms. I assure you everyone at SmugMug is aware of all of this and we'll have in-depth conversations about how to make it better.

Tony, thanks for your inputs and thanks for keeping a level head about this :-)

Mike Lane, you are motivated to look for a constructive solution... and thanks for getting involved here. You are actually right, when writing the post I wasn't really aware that not even password protection always helps, depending on other settings... though as you probably agree that makes things worse for SmugMug security/ privacy/ usability, not better, than outlined in my post.
But how about you guys get together and seriously look at this issue and you discuss it with your US colleagues, and then you can look into switching to e.g. GUIDs, and then switching the interface to read e.g. "public" vs "unlisted". (Note for something to be "unlisted" you also need to use GUIDs, or else everybody can create their own "list" to look at the pics.) During the transition phase, you may even want to look into setting all "private" galleries to be fully locked (to protect users who may have misunderstood this setting), and e.g. send out an email to all users telling them about the issue and showing them how they can easily unlock it should they want to.
The GUID'ified image URLs should also not contain any image resolution indicator (like the current -th for thumbnail, -m for medium etc.), just that someone can never go from a thumbnail to a higher resolution.

Knowing about the additional password setting issue you mentioned I would also suggest to make it so that password-protected pics are always protected, nevermind what any of the other settings say. A password should appear even when accessing the direct image URL, not just for the gallery page, if you enable a password.

Smugmug has always struck me as a second rate site that is coasting along on an outdated platform. I paid for a year and tried to use it, but found it primitive with a poorly designed interface. I do web programming myself and can see through the cracks in most of this kind of software. Though flickr isn't perfect, either, at least it seems to have a modern software intelligence behind it.

Hi Philipp, we're all motivated for constructive solutions to customers' problems, I assure you. :)

The topic of not allowing external links with passworded or private galleries comes up from time to time. I think the general idea is that we should let the user link images externally if they so choose, even in passworded galleries. That combined with the fact that we have a means for them to prevent it easily means there is more flexibility for the user. Turning off external links in private galleries would prevent the crawlers, but it would also prevent people from hotlinking images to their own blogs or to ebay or whatever.

And that comes back to what Don was getting at I think (not to put words in his mouth). Setting the public option to no adds a bit of privacy, if you want or need more, there are many other layers available. SmugMug shouldn't be deciding what security is best for you photos, you should, and we give you the tools to go from having your photos open to the world to completely locking down you photos and your site entirely to anyone and everyone.

I assure you this is being discussed and will be discussed further. In the mean time, if you'd like to protect photos from being crawled, simply turn off the external linking. If you'd like to prevent galleries from being crawled, simply set a password. I hope that helps.

Hey this Mike Lane guy seems to be level headed about this .. and from what I am reading is, that they are trying to sort out the issues and am I correct in assuming that he is part of the team on smugmug ?

.>>>[..] But how about you guys get together and seriously look at this issue and you discuss it with your US colleagues, and then you can look into switching to e.g. GUIDs, and then switching the interface to read e.g. "public" vs "unlisted".

Phillipp, from a product standpoint, this type of conversation is best taken into back channel mode. I believe that your recommendations are sincere and worthy of being discussed. But, Truthfully after discovering an issue and they (smugmug) conceding the point. Does it really benefit you on how they construct the solution and discussing the architecture of the darn thing within a forum the best way to go move forward and ensuring that privacy and security is robust for the product ?

/pd, Yes I work for SmugMug.

I'm a flickr user but I respect the smugmug product, I just can't understand the issue. Set the photos "available only to friends/family" and no one else can access them. Am I wrong? Forgive me I don't know what GUIDs is.

i dont really understand what everyone is concerned about. I am a user of smugmug, and it was painfully obvious to me when I setup my account how the privacy works.

I dont think they could have made it any easier...I mean, it says right next to the public yes/no radio button "show this gallery on your homepage?"

it doesnt say anything about no one ever being able to see it. And the options immediatly under that one clearly say:

Yes: No: can Google find your smug mug?
Yes: No: do you want your photos in SmugMug's search?
Yes: No: allow external links (eBay, forums, etc)?
Yes: No: hide your name, navigation, and look & feel?

how much more obvious can it be?

> how much more obvious can it be?

Surprisingly, some people think that "big red buttons" are obvious – and yet plenty of usability tests prove that many people actually subconsciously ignore big red buttons.

If a radio button says "public: yes / no" I shouldn't *need* to read the hint for that question – and definitely shouldn't need to read the hint text for any others. I know exactly what "public" means and if I choose "no" those photos should not be publicly available unless I explicitly say so.

For me, the most simple solution to half the problem here would be to make the "ext. links" option default to "no" because there's no advantage in having it set to "on" by default. If somebody really wants to hotlink to their images and they can't, they'll find this setting and switch it on. On the other hand, a user who has not seen the option may not even know their images are hotlinkable – and may not actually want them to be. Opt-in is almost always better than opt-out. (Alternatively, make it default to "no" as soon as someone password protects their gallery and / or makes the gallery private or force the user to choose the option rather than have a default at all.)

Even if SmugMug then continued to use iterating numbers, at least private photos would be well and truly private unless the user wanted them to be publicly available.

It comes down to how Philipp defines "private". Smugmug's features provide for just about everything anyone could want. You can lock it down with a password, remove the link from everywhere, block external links, block Google from crawling it, block keywords, etc. And you can have any combination of them you could imagine.

So basically this is a blog post about how some Smugmug users might not know the exact details about some Smugmug features? *Yawn*

News at 11! Digg shows what stories you digg to your friends!

"For me, the most simple solution to half the problem here would be to make the "ext. links" option default to "no" because there's no advantage in having it on by default."

No advantage? You mean like making it easy for grandma to just give out a simple link to her photo she wants to share? It's a photo sharing site. The default should be for easy sharing, not privacy.

> It comes down to how Philipp defines "private".

Except Philipp didn't write the definition for "private". And if someone tells you something is private, they shouldn't invent their own definition.

For reference: http://www.answers.com/private

> No advantage? You mean like making it easy for grandma to just
> give out a simple link to her photo she wants to share? It's a
> photo sharing site.

George, in that case, Grandma surely wouldn't choose to password protect the picture and wouldn't choose to make the gallery private – since she's sharing, after all – which would then allow her to copy and paste the URL of the gallery or photo page and share it with whomever she wants.

(And if Grandma really wanted to go right-clicking images to find their URLs to link to them directly on other sites, I'm sure she'd be savvy enough to go and switch on the "ext. links" option...)

> It comes down to how Philipp defines "private".

none of those options even mention the word private.

I think George said it best..

"It's a photo sharing site. The default should be for easy sharing, not privacy."

I think if you are putting pictures you dont want anyone else to see on a photo sharing site, and decide not to read what any of the options do, then its your own fault. its not a security hole

If the majority of the people using the site are sharing the photos, why should smugmug cater to the smaller percentage of private photos?

george – you dont get it. Its not just about

<users might not know the exact details about some Smugmug features? *Yawn*>

read what Andy could do – its a security breach. PERIOD its takes about 15 seconds to download the pvt picture and off course-- use em images for malicious or $$$ purpose ?

The world is smarter then smugmug- Philipp tried to contact them, smug is trying to resolve the issue.

and private is private.. or you do u think its better to tell smugusers that their pvt pics that were loaded up in smugmug or on xxx ??

   BTW sharing and privacy are two separate issues..dont confuse the two

> If the majority of the people using the site are sharing
> the photos, why should smugmug cater to the smaller
> percentage of private photos?

I'd like to see some stats on how many of the images on SmugMug have been hotlinked to versus how many haven't before answering that...

(Just to make it clear: People would still be able to share photo and gallery URLs even if my quick and easy solution was implemented.)

Tony: You don't really get it, do you?

Visitors to my Smugmug page don't see my private galleries. They don't even know those galleries exist unless I specifically give them a link to those galleries. That's privacy. Thankfully, when I do give someone a link to a private gallery, they don't have to enter a password unless I also made it a passworded gallery.

The fact that randomly crawling the site might eventually turn up those photos doesn't change anything. I consider my backyard private property, but it doesn't prevent my neighbor from peeking over the fence or from Google posting a satellite image online.

What's funny to me is that Philipp suggested using GUID's, which basically changes nothing in regards to his precious "privacy". The pages are still completely crawlable, but have bulkier and uglier URL's.

this is by design. I actually like this feature and it's the only way that I currently use SmugMug. I have a handfull of public galleries and the rest are private. I manually give out the URLS to people.

This is known as security by obscurity and it works just fine.

They have always stated this in the help long since I've been a subscriber.

George: I get it completely. Please don't patronise me by saying that I don't. Every comment I'm making here is in response to questions and statements posted by others. There's a problem – and even SmugMug employees have admitted that – so I'm trying to suggest what could be done to help improve SmugMug.

I can clearly see your side of this discussion but I simply don't agree that all those people using SmugMug to host their private pictures knew they would be accessible to others. If you have a backyard, you are completely aware that someone can look over the fence. If you post private photos to SmugMug, you may not be completely aware that people can still access them. This is all about making things clear to the user.

Unfortunately, we can't really prove either way whether SmugMug users know that their private photos are actually available to download.

http://ocnorml.org/images/security_fence.jpg

Sorry, I forgot about this bit:

> What's funny to me is that Philipp suggested using GUID's,
> which basically changes nothing in regards to his precious
> "privacy". The pages are still completely crawlable, but have
> bulkier and uglier URL's.

That's not entirely true. These GUID-enhanced URLs *wouldn't* be programatically crawlable unless they were (i) linked to from somewhere else already (in which case, the owner probably doesn't mind them being shared) or (ii) you had a mega-super-computer that could iterate through every possible GUID (which really isn't a possibility).

I am very concerned about privacy. When I mark a gallery private, I expect that only the people I have granted permission to access the gallery can access it by any means.

Smugmug must understand, I have pictures of friends and family and I have assured them their images will not be used by anyone other than myself.

Smugmug, please provide some feedback on how to configure a gallery so that they are truly private.

> Smugmug, please provide some feedback on how to configure a
> gallery so that they are truly private.

Steve, I *think* this is what you need to do to make them truly private:

   * Add a password
   * Set "public" to "no"
   * Set "hello world" to "no"
   * Set "hello smuggers!" to "no"
   * Set "ext. links" to "no"

Maybe that's a bit over the top though, I'm not entirely sure. You definitely need to add a password and set "ext. links" to "no" at the very least.

Perhaps a SmugMug user / employee could confirm that?

I'm from SmugMug.

Steve, we'll contact you from the Help Desk, thanks!
Tony, you are right, you just made a "SmugIsland" with the extra options of passworded protection and external links set to be off.

Is smugmug down? I can't get it nor am I seeing that picture above anymore.

a lot of hoohah about nothing IMO

All it needs is clearer instructions from SM as to what does what

No biggie, certainly not worth getting ones underwear tangled up about

Update (also added this to the post): The CEO of SmugMug, Don MacAskill, now blogged about this. http://blogs.smugmug.com/don/2008/01/28/your-private-photos-are-still-private/ Don and I remain to respectfully disagree on the core issue as I blogged above – his post title concludes that private photos are private – so it’s probably not necessary to repeat the details of where I disagree with his points.

They fixed the issue raised here:
http://blogoscoped.com/forum/121864.html#id121868

Don's response is well presented, polite and completely reasonable. Credit must go to him for making such an honest post – especially admitting that your emails raised a different issue which is now fixed!

Of course, I also disagree that private photos are private.

The title says:

> Your private photos are still private.

Their help pages say:

> Private galleries aren't visible on your SmugMug homepage
> and aren't included in search engines. Nobody can see them
> unless you give them a direct link...

From: http://www.smugmug.com/help/private-albums

And yet Don says in his post:

> When you set your SmugMug gallery to ‘private’, this is exactly
> what you’re doing – making the gallery and photos difficult,
> but not impossible, to find.

Now, no matter how you define what "private" actually means, telling users that nobody can see your private photos unless you give them a direct link is completely wrong in this case, especially when the instructions on the same page don't draw the user's attention to the fact that they also have to change the other settings to actually make their photos private.

And if Don had simply included the URL of a "private" photo in his blog post, I'd have been $1000 richer, as all I'd have needed to do is click the link to view it... ;-)

As I write this there is only 53499 galleries on SmugMug,
each of those pages has your user name and the path to the gallery, unless of course it is password protected.

It would only take a few minutes for me to write a python/ruby/perl/something script to pull down all of those 53499 galleries, strip the username and path out of the page and gallery path out of those pages and build a index, that I could easily re index each day.

It takes ~2 seconds to wget each page from SmugMug and say for argument ~1 second to index it. So at ~3 seconds per gallery it would take ~106998 seconds to index all of the content on SmugMug currently. So that is 29 hours of Machine time. This is also a fairly gross estimate, because I can fetch more than one page at once, I think you could safely divide that by 10 or 20.

At the end of this I have a index that links all the users to their galleries, except for ones that are password protected.

Now this is a feature, though implemented badly.

If you say used a 16 random character string (only lowercase a-z) then my search space for finding a gallery is 26^16 = 43608742899428874059776. this would be a lot better than the current search space of ZERO since I know where to find all the galleries. It isn't random luck that I end up at once (though it might be password protected, however I still know it is there), because they are sequential. As per above once you find them it is trivial to parse them for information.

This may be it intended behavior, and yes the little blurb beside the radio box does explain what it means. However I wouldn't bet on my readers reading past the word private, or fully comprehending what it means. Especially when the *industry accepted* course of action is to generate a GUID so you can't systemically enumerate things like this, and if they missed this I would hate to know what else they missed in terms of security fundamentals.

Regards,
Jack Random

grrrrrrrr.. I found " users matching '/photo/248415594-O jpg'" 257 results:

Does not count for the $1000 price money :(-

I posted a partial workaround for SmugMug here:

http://barnabas.wordpress.com/2008/01/28/plugging-smugmugs-hole/

Mr. MacAskill has also weighed in with a comment. The improvement would be to make the URLs difficult to guess, which is what GUIDs would do. Security through obscurity, I suppose, but it would foil or at least severely slow the crawling method outlined by Jack Random above.

I just solved Don't contest hack puzzle, though I don't want the prize money. He said giving him the user name or gallery name of the photo in question was enough, so I gave him both. I didn't see the image (I only tried 5 minutes), however, that contest diverts from the actual unfixed security issue at hand (you can download a massive amount of private photos), as it's a contest that asks users to find yet other security issues (the challenge being to download a single *password-protected* image, whereas my post emphasizes password protection is not the issue).

Jack Random:

SmugMug has a whole lot more than 53,499 galleries. So it'd take a lot longer than 29 hours of machine time. :)

Ok, I got the number of galleries wrong in the above post, it seems there are holes where people have deleted galleries. And my rushed binary search didn't take that into account. :P Guess that is what you get for doing things in a rush.

:P So it would take a couple of days to index everything with a nice botnet.

Regards,
Jack Random

Philipp Lessen:

Let's donate your $1000 to a charity of your choice, then. But I still need to see reproducible steps to award the prize. Please email me. :)

...waiting on pins and needles...

Seems to be a nice giant hole around 5,000,000 so I am guess that it is likely to be less that.

But then if you can get in 150 requests per second that is only 9 hours of time.

:P Though you would have to be careful not to DoS their servers, they may notice...

Regards,
Jack Random

What's funny is that I solved it too – without any help from Philipp and only seconds later...

Tony Ruscoe:

Ok, come on guys, I was hoping we'd find holes so I could fix them. But if no-one's going to share, how does that help anyone?

If you've found a hole, as I believe you have, then please, email me so I can fix it.

Don, an email is on its way assuming I got your email address correct.

It was just taking a while to put together...

Ionut:

> They fixed the issue raised here:
> http://blogoscoped.com/forum/121864.html#id121868

Yep, they fixed *that* issue but you can still find out who a photo and / or gallery belongs to, at least for the time being. Even if it's a private, password-protected, non-external-link-allowing photo.

you go Dudes ...LOL!!

hope that Don will actally send the prize money to charity.. maybe sick kids :)-

Well, someone had to do it – here is a GreaseMonkey script for browsing through galleries. It will add a small div in the top right corner of your screen with Previous and Next buttons that will take you to the previous or next gallery, numerically, from the one you were last at.

http://userscripts.org/scripts/show/21777

Hey Don -don't begin cribbing.. Not fair.

"Regarding the $1000 photo – am I on drugs or is the image empty / blank / removed? Sorry, I don’t understand the point."

pay up into Philipp's or Tony's choice of charity..!!

What about all the XSS vulnerabilities that the site has?
I CAN HAS UR PASWORDZ?

I don't really understand all the fuss here. Yes it's obviously you can iterate over all pictures, even on the private ones. You immediately see this when you see the url id scheme they use. However private does not mean protected. But I agree private should at least mean difficult to guess which is not the case at SmugMug. Of course if you really care do to so, you could download all the pictures and pinpoint single users. Let's just say that privacy is weak at SmugMug but not non existent. Well not until someone downloads all their picures which is no to hard too hard to do so (considering we only get their thumbails).

/pd:

Tony & Philipp haven't selected a charity yet. I'm ready to go.

But the image is *not* blank/removed/etc, though I can see how someone might think so. It's simply protected.

shhhhhh ....... Haochi lets not pwn da pwd(s) yet!! LOL

What's the implication?
That's really the question. For damn near 1500 words, you dance around the issue without making a point. Are you calling Don and the SmugMug staff liars?
I understand that you aren't a real journalist and that you make a name for yourself by creating controversy where no controversy exists. I also understand one of the best ways to do that is by choosing a target like Don, who is both high profile and accessible.
Unlike the vast majority of the Silicon Valley CEOs out there, Don is so dedicated, he will stay on this stupid little message board and personally respond to every untruth and incitement posted.
So, here's my implication: I imply that you are riding the coattails of the SmugMug good name. I imply that you are trying to create controversy to attract the attention of anyone who isn't just an armchair blogger to garner a modicum of the respect and attention a reputable technology reporter may bring to this unstory. More than anything, I imply that what you want is legitimacy. You go to bed praying to God for relevancy while visions of Swisher and Scoble dance in your head.
If you'll excuse me, I have to run random numbers through the Address bar on my Commodore Amiga. I'm hoping that after 250 million tries, I may find one set of boobs.

If this becomes more well known, SmugMug will become a favorite site among voyeurs. "Private" may not mean "protected", but the issue is not the semantics here, it's what the users assume of the service. If this publicity of pictures is intentional, SmugMug should logically warn their users about this when setting pictures as private. Something along the lines that "Please note that uploaded private pictures without a password protection can be viewed by any other user".

Sure, it's a lot of pictures to sift through, but things can both be scripted and ran through skin detection filters (yes, they do exist and often work surprisingly well). A dedicated user might in no time collect a gallery of nude pictures tied to the user accounts, either out of malice or for other reasons.

[I added another update to the end of the post to reflect SmugMug's Mike Lane's explanations.]

Jacob: I'd argue that Philipp is more of a journalist than most mainstream technology journalists. He researched the privacy issue in depth, contacted SmugMug's support multiple times, and interviewed the CEO. Philipp only published his article after Don stated that this was intended behavior, wasn't going to be fixed, and encouraged Philipp to blog about it.

Whether you agree with it or not, this article is getting attention because many people consider "private" and "password-protected" to mean that nobody will see their photos. The fact that we're finding candid, embarrassing photos with "External Linking" turned on (the setting's default) shows that not all of SmugMug's users understand the extremely subtle distinctions between security and privacy that Don and his team have.

This is a completely legitimate story, carefully investigated and reported. To compare Google Blogoscoped to the half-assed incendiary "journalism" practiced by most tech bloggers is completely off-base. Simply looking at his five-year publishing history will demonstrate that.

I have to agree with Andy here. Philipp did the right thing and investigated his story well.

If the rest of the blogosphere was so thorough, traditional media might already be dead.

Philip,
   I must admit I'm completely baffled as to why you consider this a problem.

   In your own screenshot you can see that right next to the "Public" option is a description, "show this gallery on your homepage?" That is a pretty accurate description of what it does. How is it that you read that and assumed it would also block all access to the photos?

If you're at the gas pump, do you expect that selecting high-grade gas will also somehow magically inflate your tires for you?

The name of that setting is "Public." It's not hard to imagine how some people might think that turning that off would make their photos private.

And actually, the only setting that really makes SmugMug photos undiscoverable is the second-to-last one, the vaguely-worded "Ext. Links." Only when that's turned off are the photos truly private. Someone could set a password and turn "Public" off, "Hello World" off, "Hello Smuggers" off, and "Hide Owner" to yes, and the photo could STILL be exposed through simple URL manipulation.

Andy – theres no point rehasing the same-

One fine day some smuguser will wake up to find their pics on craigslist (aka) the Jasan F incident.

Update 3, also added to the post: We found out that not even photos set to non-public + password-protected + external-linking-disabled and what-not are private when using a certain different approach (this also enabled us to view a seemingly protected contest image put forth by SmugMug's CEO). Due to SmugMug's use of incremented IDs instead of e.g. GUIDs, these photos – which use every possible protection setting in SmugMug – can again be crawled in large numbers. Furthermore, we noticed there's a way to show the first photo of password-protected galleries of specific users you can pick. (Other issues, like JavaScript injection, have popped up too.) We won't disclose technical details now, but privately alerted SmugMug to these additional security vulnerabilities, giving them the full background. This time, CEO Don MacAskill agreed with our analysis, saying it's "major."

Just to add to that... I'm just going to make this clear for anyone that still doesn't understand what today's findings mean:

Regardless of which privacy or security settings you set for your photos on SmugMug, it's currently possible for anyone to view a decent size copy of your photos. For Don's image that was 600 x 450pixels but for other images – like the ones in the gallery Mike linked to above * – I was able to view the original size image without entering the password, even though the images were supposedly truly private and secure.

* http://blogoscoped.com/forum/121864-full.html#id121888

[Edited link as some posts have now been collapsed.]

Please don't tell me they were relying on referrer information as a security feature.

Danny Dawson:

We definitely don't rely on referrer information as a security feature. We view it as a convenience feature.

Don MacAskill:

Sorry. I should rephrase. Please don't tell me you were relying on referrer information as a privacy-enforcement feature.

Hi. I've built some fairly big web sites, and run into similar issues before. Since I've written about this in the past
(http://joshua.schachter.org/2007/01/autoincrement.html) I thought I'd chime in with some thoughts:

As an engineer: You don't have to migrate to GUIDs. You can make keyed URLs, with the md5 of the serial number and a secret key in the URL, and check it in the webserver itself (which just needs to know the key). So /photos/[serial]-M-[md5(serial, secret)].jpg This lets you keep the (poorly chosen) sequential ID scheme, but prevent the identifiers from being iterated.

As a statistician: You don't have to iterate over the whole set. There's a number of ways to reduce the range of what I have to crawl to find what I want; I can think of a few ways to reduce it by two orders of magnitude, and that's without even trying.

As a product guy: The gap here is not the technical implementation, it's user expectation (their user's interpretation of the word "privacy" regardless of definition, documentation, etc) versus the reality. So saying that they are "really" private, even though there's a small chance their stuff might be found, is a gap in understanding.

Finally: As an entrepreneur: Own your mistakes, say you're sorry, and fix it. I understand the urge to be defensive, but you have to look at things from more angles than anyone else.

==>So /photos/[serial]-M-[md5(serial, secret)].jpg

Josh , what is the -M- variable ??

I am a casual user of smugmug. I do not WANT them to use GUID's. I LIKE that I can iterate my photo's easily. To me its a feature, not a bug, and one of the big reasons I like smugmug.

just my .02

/pd:
That's the image size label (M=medium).

Joshua Schachter:
Whatever GUID scheme they were to choose, it would be a massive outrage among users. Imagine millions of dead links on hotlinked images.

Unfortunately, poor design decisions in the very beginning tend to be quite difficult to change later. What's reasonable to do now is to leave the existing URLs as they are, fix the security bugs found by Philipp and Tony and think about ID randomization or GUID scheme for new albums.

SmugMug user Doug:

> I LIKE that I can iterate my photo's easily.

Except you can't iterate through your own photos easily because your own photos are not necessarily using sequential numbers due to the number of photos being constantly uploaded, so I don't understand how this helps you...

Interesting…It seems that they have adequate privacy controls, it is just tricky to figure out how/where to enable them. They should change the wording to be less confusing! It is much more effective when sites really spell out the privacy controls and emphasize their power- similar to what Pixamo has done.

Philipp, thanks for raising this issue in public. I reported it to SmugMug almost a year ago and they insisted that there was no problem. If SmugMug wants to support users who prefer a simplistic sequential numbering scheme, that's fine, but SmugMug should offer an alternative for those of us who would like a bit more privacy.

Jeff, that's interesting because Don said in his first email to Philipp (which he's now published on his blog):

<< I’m in completely agreement, that GUIDs would help greatly here, but I’m afraid our system wasn’t built for GUIDs, and retrofitting our code and database to support GUIDs would be an extremely expensive proposition. Not that we’re not willing to do it – we would certainly consider it – but yours is the first request I’ve see in years to do so. >>

From: http://blogs.smugmug.com/don/2008/01/28/your-private-photos-are-still-private/

Do you happen to still have the emails exchanged between yourself and SmugMug?

Tony, if he does have an email, then that opens a totally new can of worms for Don /SmugMug- its called as a "Due Diligence" and "Reason to Belive" statutory instruments can be triggered!!

I do have the emails. They went to SmugMug support and the replys came from Andy Williams. I didn't ask for GUIDs, but I did ask for a solution (I mentioned an alternative suggestion that would have prevented simplistic enumeration).

Thanks for your post on this matter.

As a smugmug user, this issue alarms me because when I mark things as private I want them to be truly private--meaning that people can't see my photos.

What worries me is that smugmug's oversight on this matter points to other undiscovered oversights that are far worse.

I hope that smugmug will implement some sort of obfuscated ID system soon. Or at least give users the option to request an obfuscated URL.

I was on the verge of setting up another smugmug account but now I am looking to other services that are using GUIDs or MD5 hashes for gallery URLs and photo URLs.

Update from Don:

http://blogs.smugmug.com/don/2008/02/08/big-privacy-changes-at-smugmug/

Were SmugMug honest, user-centered, and initially not so stupid as they now admit (if veiled in euphemisms of this and that), the whole upgrade to non-iterative urls would have gone faster and smoother. Instead, Philipp and others had to persist in bringing that --one would have thought beyond obvious-- issue up to these no-goodniks' attention (persist up to and including unpaid code forensics and hitherto unknown, novel attack vectors). In effect a few outside hackers had to perform UNSOLICITED LOBBYING for SmugMug's own good, because its leaders were --if for a moment-- incompetent [Randal L. Schwartz' case also comes to mind].

Leaving aside the assignment of blame, it'd interesting to know how much, in monetary terms, Philipp would judge the cost of that work (time x hourly rate = estmate)....

... and then compare that, no doubt reasonable, sum to potential cost to SmugMug of either having to defend itself in court after somebody, whose "privacy" has been breached, has sued for damages; OR that, AND h ving to pay real $uper-$ized settlement in a subsequent class action.

I know it's difficult to judge offhand, but, hey! we know you can do hextrix, but can you count in decimal? ;-))

Thanks Tony. I added this update to the post:

<<SmugMug announced they’re now calling the option “unlisted” instead of “private” – see new interface for creating galleries* – and they're also appending a key to new URLs to solve the problems of photo IDs being easy to iterate. All old photo galleries on the other hand will remain insecure as outlined above (unless the user e.g. moves them into a new album).>>

They don't seem to want to go through some forced transition phase to secure existing photos, as Google's Picasa Web Albums did a while back when they were pointed to their issues. A transitional phase like e.g. an email "please unlock your gallery until next month if you actually meant it to be public (there was a bug which made your private pics public)", which could additionally have consisted of helping customers who access existing pages via automated alerts ("the gallery is protected now, would you request the owner of it to grant you access?" etc.) In other words, instead of making insecurity opt-out, SmugMug made security opt-in for existing galleries... erring on the side of having a security vulnerability for users who don't take action now for whatever reason.

*Wonder why they're not using 3 radio buttons in their new creation interface – the "lock down" option, which asks you to define a password, ghosts the other two radio buttons anyway when you choose it – and call it "( ) public ... ( ) unlisted ... ( ) private":

http://blogoscoped.com/files/smugmug-new.png

> Wonder why they're not using 3 radio buttons in their new
> creation interface ...

I guess that's because you can have a public gallery that is "locked down" with a password and external linking disabled. I assume those extra settings appear once you check the "Lock it Down" box?

Tony, picking the third button will ghost the other two radio buttons anyway (and preselect "unlisted")* – so it's already working pretty much exactly like 3 radio buttons would work. Their interface layout suggest you can have both "public" and "lock it down", but their interface behavior suggests you can never combine "public" and "lock it down" (lock it down always implies unlisted, their interface behavior suggests). So I wonder why they don't call the "lock down" option "private", as private implies not listing the gallery anyway... and perhaps call the "unlisted" option "only unlisted" or something.
Well, but those are minor interface discussions, and opinion may vary. The bigger issue seem to be the masses of old unsecured photos which remain unsecured even when their owners originally set them to private.

*Here's what you see with the right option checked:
http://blogoscoped.com/files/smugmug-new-2.png

If this was my site, I would have splurged and gone for a sixth character for the keys.

601,692,057 combinations might be too expensive to exhaustively search today, but those URLs are going to be around for a long time.

34,296,447,249 would have been so much better, for the cost of one extra character. If you're going to redesign the site anyway, may as well do it properly.

> picking the third button will ghost the other two radio buttons

In that case, you're absolutely right. I guess this way it just reinforces the fact that locked down galleries are also unlisted.

I guess "lock down" automatically switches off external linking too. I guess that makes sense even if it's not as flexible as before. (Why would anyone want to password protect an unlisted gallery but still publicly link to the images?)

Roger, seems they also wasted 1 character by using underscore instead of a-z.

e.g.
bla.smugmug.com/gallery/4301686XBt8Wr
instead of
bla.smugmug.com/gallery/4301686_Bt8Wr

The string would still be splittable into ID and key by splitting at the first occurence of a non-numerical character.
This would also have made the URLs look less technical (and it would also prevent the admittedly minor issue that in some link-rendering contexts, link underlines make underscores disappear in the layout).

Then again, if they'd use a GUID instead of still printing out the ID in the URL, they could save even more characters because of the choice of more characters available per position.

> I guess that makes sense even if it's not as
> flexible as before.

Above dialog is when you create a new gallery... the new customization options when editing the gallery settings are still flexible/ confusing to some degree:

http://blogoscoped.com/files/smugmug-new-3.png

"Special thanks to our customers and friends who weighed in with lots of detail both about the problem and the implementation, and Philipp for being so passionate and firm about the situation."

I tell you that Don guy – is an upfront dude – watching this story unfold and the action and reaction was really a neato experience. I wish all s/w vendors and service providers had the class of Don /SmugMug team. On the technically side of things I'll need to digress because thats really not my flavour, but on the social / community side.. I tip my hat to Phillipp, Tony and Don!!