Google Blogoscoped

Monday, October 6, 2008

Picasa Unlisted Albums Privacy Issue Fixed

Google’s photo storing app Picasa Web Albums had a bit of a privacy vulnerability. When you create an unlisted album to send to friends, you’ll usually not expect the URL to get out to non-friends – that’s why Google included an authentication key parameter in the URL so it’s not possible to quickly guess the address (they didn’t in the beginning, which allowed you to e.g. see Larry Page’s unlisted album, but Google were later convinced it makes sense). However, Google allowed outgoing links in comments to photos of those unlisted albums. When you entered e.g. “Great photo, also see” as a comment just a while ago, Google would automatically create a direct link to As you know if you’re a webmaster, when someone clicks such a direct link – i.e. in this case a click-through by you or your friends who were invited – the potentially uninvited owner of can now see the referrer URL in their log files... including the authentication key to get into your unlisted album.

What Google could have done to keep the links but make them safe is to redirect them through some Google page, which would as a consequence hide the original referrer to the webmaster of the other site. Instead, Google now does not automatically convert URLs to clickable links in comments, which has the same effect of ensuring the privacy of Picasa albums in regards to this hole.* Additionally, if you have any unlisted photos which have comments with external URLs and you care a lot about the privacy of that album, you might want to delete the album now and set up a new one, in case the authentication key has already gotten out.

*In general though, you should never really expect unlisted web pages to be fully private; only password-protection makes it technically safe, because as this case shows, unlisting is more of a “human agreement,” unsupported by the underlying technology & protocols. And not even your friends may at all times be perfectly sure about a page’s status, so they may inadvertently share a page publicly which you intended to be friends-only... something which would happen more rarely when it’s a password they would need to share (especially if it’s their own Google Account credentials they’re using to login).

Update: Instead of deleting an album and setting up a new one (in case the authentication key might have already gotten out) you can also just rename it, that will create a new authentication key. [Thanks Wouter!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!