Google Blogoscoped

Forum

SmugMug's Private Pics Are Public  (View post)

Eugene Villar [PersonRank 5]

Monday, January 28, 2008
16 years ago71,388 views

That was monumentally stupid. Security/privacy by obfuscation (GUIDs) is no security at all but a predictably incrementing ID number? I agree that retrofitting the system to use GUIDs is a bit hard but they should've considered it in the first place since it's a very small investment that would make browsing private pics extremely harder.

/pd [PersonRank 10]

16 years ago #

shhhhhh ....... Haochi lets not pwn da pwd(s) yet!! LOL

Jacob Marlowe [PersonRank 0]

16 years ago #

What's the implication?
That's really the question. For damn near 1500 words, you dance around the issue without making a point. Are you calling Don and the SmugMug staff liars?
I understand that you aren't a real journalist and that you make a name for yourself by creating controversy where no controversy exists. I also understand one of the best ways to do that is by choosing a target like Don, who is both high profile and accessible.
Unlike the vast majority of the Silicon Valley CEOs out there, Don is so dedicated, he will stay on this stupid little message board and personally respond to every untruth and incitement posted.
So, here's my implication: I imply that you are riding the coattails of the SmugMug good name. I imply that you are trying to create controversy to attract the attention of anyone who isn't just an armchair blogger to garner a modicum of the respect and attention a reputable technology reporter may bring to this unstory. More than anything, I imply that what you want is legitimacy. You go to bed praying to God for relevancy while visions of Swisher and Scoble dance in your head.
If you'll excuse me, I have to run random numbers through the Address bar on my Commodore Amiga. I'm hoping that after 250 million tries, I may find one set of boobs.

Jonas [PersonRank 0]

16 years ago #

If this becomes more well known, SmugMug will become a favorite site among voyeurs. "Private" may not mean "protected", but the issue is not the semantics here, it's what the users assume of the service. If this publicity of pictures is intentional, SmugMug should logically warn their users about this when setting pictures as private. Something along the lines that "Please note that uploaded private pictures without a password protection can be viewed by any other user".

Sure, it's a lot of pictures to sift through, but things can both be scripted and ran through skin detection filters (yes, they do exist and often work surprisingly well). A dedicated user might in no time collect a gallery of nude pictures tied to the user accounts, either out of malice or for other reasons.

Philipp Lenssen [PersonRank 10]

16 years ago #

[I added another update to the end of the post to reflect SmugMug's Mike Lane's explanations.]

Andy Baio [PersonRank 2]

16 years ago #

Jacob: I'd argue that Philipp is more of a journalist than most mainstream technology journalists. He researched the privacy issue in depth, contacted SmugMug's support multiple times, and interviewed the CEO. Philipp only published his article after Don stated that this was intended behavior, wasn't going to be fixed, and encouraged Philipp to blog about it.

Whether you agree with it or not, this article is getting attention because many people consider "private" and "password-protected" to mean that nobody will see their photos. The fact that we're finding candid, embarrassing photos with "External Linking" turned on (the setting's default) shows that not all of SmugMug's users understand the extremely subtle distinctions between security and privacy that Don and his team have.

This is a completely legitimate story, carefully investigated and reported. To compare Google Blogoscoped to the half-assed incendiary "journalism" practiced by most tech bloggers is completely off-base. Simply looking at his five-year publishing history will demonstrate that.

Don MacAskill [PersonRank 1]

16 years ago #

I have to agree with Andy here. Philipp did the right thing and investigated his story well.

If the rest of the blogosphere was so thorough, traditional media might already be dead.

Brian R [PersonRank 0]

16 years ago #

Philip,
   I must admit I'm completely baffled as to why you consider this a problem.

   In your own screenshot you can see that right next to the "Public" option is a description, "show this gallery on your homepage?" That is a pretty accurate description of what it does. How is it that you read that and assumed it would also block all access to the photos?

If you're at the gas pump, do you expect that selecting high-grade gas will also somehow magically inflate your tires for you?

Andy Baio [PersonRank 2]

16 years ago #

The name of that setting is "Public." It's not hard to imagine how some people might think that turning that off would make their photos private.

And actually, the only setting that really makes SmugMug photos undiscoverable is the second-to-last one, the vaguely-worded "Ext. Links." Only when that's turned off are the photos truly private. Someone could set a password and turn "Public" off, "Hello World" off, "Hello Smuggers" off, and "Hide Owner" to yes, and the photo could STILL be exposed through simple URL manipulation.

/pd [PersonRank 10]

16 years ago #

Andy – theres no point rehasing the same-

One fine day some smuguser will wake up to find their pics on craigslist (aka) the Jasan F incident.

Philipp Lenssen [PersonRank 10]

16 years ago #

Update 3, also added to the post: We found out that not even photos set to non-public + password-protected + external-linking-disabled and what-not are private when using a certain different approach (this also enabled us to view a seemingly protected contest image put forth by SmugMug's CEO). Due to SmugMug's use of incremented IDs instead of e.g. GUIDs, these photos – which use every possible protection setting in SmugMug – can again be crawled in large numbers. Furthermore, we noticed there's a way to show the first photo of password-protected galleries of specific users you can pick. (Other issues, like JavaScript injection, have popped up too.) We won't disclose technical details now, but privately alerted SmugMug to these additional security vulnerabilities, giving them the full background. This time, CEO Don MacAskill agreed with our analysis, saying it's "major."

Tony Ruscoe [PersonRank 10]

16 years ago #

Just to add to that... I'm just going to make this clear for anyone that still doesn't understand what today's findings mean:

Regardless of which privacy or security settings you set for your photos on SmugMug, it's currently possible for anyone to view a decent size copy of your photos. For Don's image that was 600 x 450pixels but for other images – like the ones in the gallery Mike linked to above * – I was able to view the original size image without entering the password, even though the images were supposedly truly private and secure.

* http://blogoscoped.com/forum/121864-full.html#id121888

[Edited link as some posts have now been collapsed.]

Danny Dawson [PersonRank 1]

16 years ago #

Please don't tell me they were relying on referrer information as a security feature.

Don MacAskill [PersonRank 1]

16 years ago #

[put at-character here]Danny Dawson:

We definitely don't rely on referrer information as a security feature. We view it as a convenience feature.

Danny Dawson [PersonRank 1]

16 years ago #

[put at-character here]Don MacAskill:

Sorry. I should rephrase. Please don't tell me you were relying on referrer information as a privacy-enforcement feature.

Joshua Schachter [PersonRank 0]

16 years ago #

Hi. I've built some fairly big web sites, and run into similar issues before. Since I've written about this in the past
(http://joshua.schachter.org/2007/01/autoincrement.html) I thought I'd chime in with some thoughts:

As an engineer: You don't have to migrate to GUIDs. You can make keyed URLs, with the md5 of the serial number and a secret key in the URL, and check it in the webserver itself (which just needs to know the key). So /photos/[serial]-M-[md5(serial, secret)].jpg This lets you keep the (poorly chosen) sequential ID scheme, but prevent the identifiers from being iterated.

As a statistician: You don't have to iterate over the whole set. There's a number of ways to reduce the range of what I have to crawl to find what I want; I can think of a few ways to reduce it by two orders of magnitude, and that's without even trying.

As a product guy: The gap here is not the technical implementation, it's user expectation (their user's interpretation of the word "privacy" regardless of definition, documentation, etc) versus the reality. So saying that they are "really" private, even though there's a small chance their stuff might be found, is a gap in understanding.

Finally: As an entrepreneur: Own your mistakes, say you're sorry, and fix it. I understand the urge to be defensive, but you have to look at things from more angles than anyone else.

/pd [PersonRank 10]

16 years ago #

==>So /photos/[serial]-M-[md5(serial, secret)].jpg

Josh , what is the -M- variable ??

SmugMug user Doug [PersonRank 0]

16 years ago #

I am a casual user of smugmug. I do not WANT them to use GUID's. I LIKE that I can iterate my photo's easily. To me its a feature, not a bug, and one of the big reasons I like smugmug.

just my .02

Marcin Sochacki (Wanted) [PersonRank 10]

16 years ago #

[put at-character here]/pd:
That's the image size label (M=medium).

Marcin Sochacki (Wanted) [PersonRank 10]

16 years ago #

[put at-character here]Joshua Schachter:
Whatever GUID scheme they were to choose, it would be a massive outrage among users. Imagine millions of dead links on hotlinked images.

Unfortunately, poor design decisions in the very beginning tend to be quite difficult to change later. What's reasonable to do now is to leave the existing URLs as they are, fix the security bugs found by Philipp and Tony and think about ID randomization or GUID scheme for new albums.

Tony Ruscoe [PersonRank 10]

16 years ago #

[put at-character here] SmugMug user Doug:

> I LIKE that I can iterate my photo's easily.

Except you can't iterate through your own photos easily because your own photos are not necessarily using sequential numbers due to the number of photos being constantly uploaded, so I don't understand how this helps you...

Jake [PersonRank 0]

16 years ago #

Interesting…It seems that they have adequate privacy controls, it is just tricky to figure out how/where to enable them. They should change the wording to be less confusing! It is much more effective when sites really spell out the privacy controls and emphasize their power- similar to what Pixamo has done.

Jeff [PersonRank 0]

16 years ago #

Philipp, thanks for raising this issue in public. I reported it to SmugMug almost a year ago and they insisted that there was no problem. If SmugMug wants to support users who prefer a simplistic sequential numbering scheme, that's fine, but SmugMug should offer an alternative for those of us who would like a bit more privacy.

Tony Ruscoe [PersonRank 10]

16 years ago #

Jeff, that's interesting because Don said in his first email to Philipp (which he's now published on his blog):

<< I’m in completely agreement, that GUIDs would help greatly here, but I’m afraid our system wasn’t built for GUIDs, and retrofitting our code and database to support GUIDs would be an extremely expensive proposition. Not that we’re not willing to do it – we would certainly consider it – but yours is the first request I’ve see in years to do so. >>

From: http://blogs.smugmug.com/don/2008/01/28/your-private-photos-are-still-private/

Do you happen to still have the emails exchanged between yourself and SmugMug?

/pd [PersonRank 10]

16 years ago #

Tony, if he does have an email, then that opens a totally new can of worms for Don /SmugMug- its called as a "Due Diligence" and "Reason to Belive" statutory instruments can be triggered!!

Jeff [PersonRank 0]

16 years ago #

I do have the emails. They went to SmugMug support and the replys came from Andy Williams. I didn't ask for GUIDs, but I did ask for a solution (I mentioned an alternative suggestion that would have prevented simplistic enumeration).

smugmug user [PersonRank 0]

16 years ago #

Thanks for your post on this matter.

As a smugmug user, this issue alarms me because when I mark things as private I want them to be truly private--meaning that people can't see my photos.

What worries me is that smugmug's oversight on this matter points to other undiscovered oversights that are far worse.

I hope that smugmug will implement some sort of obfuscated ID system soon. Or at least give users the option to request an obfuscated URL.

I was on the verge of setting up another smugmug account but now I am looking to other services that are using GUIDs or MD5 hashes for gallery URLs and photo URLs.

Tony Ruscoe [PersonRank 10]

16 years ago #

Update from Don:

http://blogs.smugmug.com/don/2008/02/08/big-privacy-changes-at-smugmug/

Ianf [PersonRank 10]

16 years ago #

Were SmugMug honest, user-centered, and initially not so stupid as they now admit (if veiled in euphemisms of this and that), the whole upgrade to non-iterative urls would have gone faster and smoother. Instead, Philipp and others had to persist in bringing that --one would have thought beyond obvious-- issue up to these no-goodniks' attention (persist up to and including unpaid code forensics and hitherto unknown, novel attack vectors). In effect a few outside hackers had to perform UNSOLICITED LOBBYING for SmugMug's own good, because its leaders were --if for a moment-- incompetent [Randal L. Schwartz' case also comes to mind].

Leaving aside the assignment of blame, it'd interesting to know how much, in monetary terms, Philipp would judge the cost of that work (time x hourly rate = estmate)....

... and then compare that, no doubt reasonable, sum to potential cost to SmugMug of either having to defend itself in court after somebody, whose "privacy" has been breached, has sued for damages; OR that, AND h ving to pay real $uper-$ized settlement in a subsequent class action.

I know it's difficult to judge offhand, but, hey! we know you can do hextrix, but can you count in decimal? ;-))

Philipp Lenssen [PersonRank 10]

16 years ago #

Thanks Tony. I added this update to the post:

<<SmugMug announced they’re now calling the option “unlisted” instead of “private” – see new interface for creating galleries* – and they're also appending a key to new URLs to solve the problems of photo IDs being easy to iterate. All old photo galleries on the other hand will remain insecure as outlined above (unless the user e.g. moves them into a new album).>>

They don't seem to want to go through some forced transition phase to secure existing photos, as Google's Picasa Web Albums did a while back when they were pointed to their issues. A transitional phase like e.g. an email "please unlock your gallery until next month if you actually meant it to be public (there was a bug which made your private pics public)", which could additionally have consisted of helping customers who access existing pages via automated alerts ("the gallery is protected now, would you request the owner of it to grant you access?" etc.) In other words, instead of making insecurity opt-out, SmugMug made security opt-in for existing galleries... erring on the side of having a security vulnerability for users who don't take action now for whatever reason.

*Wonder why they're not using 3 radio buttons in their new creation interface – the "lock down" option, which asks you to define a password, ghosts the other two radio buttons anyway when you choose it – and call it "( ) public ... ( ) unlisted ... ( ) private":

http://blogoscoped.com/files/smugmug-new.png

Tony Ruscoe [PersonRank 10]

16 years ago #

> Wonder why they're not using 3 radio buttons in their new
> creation interface ...

I guess that's because you can have a public gallery that is "locked down" with a password and external linking disabled. I assume those extra settings appear once you check the "Lock it Down" box?

Philipp Lenssen [PersonRank 10]

16 years ago #

Tony, picking the third button will ghost the other two radio buttons anyway (and preselect "unlisted")* – so it's already working pretty much exactly like 3 radio buttons would work. Their interface layout suggest you can have both "public" and "lock it down", but their interface behavior suggests you can never combine "public" and "lock it down" (lock it down always implies unlisted, their interface behavior suggests). So I wonder why they don't call the "lock down" option "private", as private implies not listing the gallery anyway... and perhaps call the "unlisted" option "only unlisted" or something.
Well, but those are minor interface discussions, and opinion may vary. The bigger issue seem to be the masses of old unsecured photos which remain unsecured even when their owners originally set them to private.

*Here's what you see with the right option checked:
http://blogoscoped.com/files/smugmug-new-2.png

Roger Browne [PersonRank 10]

16 years ago #

If this was my site, I would have splurged and gone for a sixth character for the keys.

601,692,057 combinations might be too expensive to exhaustively search today, but those URLs are going to be around for a long time.

34,296,447,249 would have been so much better, for the cost of one extra character. If you're going to redesign the site anyway, may as well do it properly.

Tony Ruscoe [PersonRank 10]

16 years ago #

> picking the third button will ghost the other two radio buttons

In that case, you're absolutely right. I guess this way it just reinforces the fact that locked down galleries are also unlisted.

I guess "lock down" automatically switches off external linking too. I guess that makes sense even if it's not as flexible as before. (Why would anyone want to password protect an unlisted gallery but still publicly link to the images?)

Philipp Lenssen [PersonRank 10]

16 years ago #

Roger, seems they also wasted 1 character by using underscore instead of a-z.

e.g.
bla.smugmug.com/gallery/4301686XBt8Wr
instead of
bla.smugmug.com/gallery/4301686_Bt8Wr

The string would still be splittable into ID and key by splitting at the first occurence of a non-numerical character.
This would also have made the URLs look less technical (and it would also prevent the admittedly minor issue that in some link-rendering contexts, link underlines make underscores disappear in the layout).

Then again, if they'd use a GUID instead of still printing out the ID in the URL, they could save even more characters because of the choice of more characters available per position.

> I guess that makes sense even if it's not as
> flexible as before.

Above dialog is when you create a new gallery... the new customization options when editing the gallery settings are still flexible/ confusing to some degree:

http://blogoscoped.com/files/smugmug-new-3.png

/pd [PersonRank 10]

16 years ago #

"Special thanks to our customers and friends who weighed in with lots of detail both about the problem and the implementation, and Philipp for being so passionate and firm about the situation."

I tell you that Don guy – is an upfront dude – watching this story unfold and the action and reaction was really a neato experience. I wish all s/w vendors and service providers had the class of Don /SmugMug team. On the technically side of things I'll need to digress because thats really not my flavour, but on the social / community side.. I tip my hat to Phillipp, Tony and Don!!

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!