Google Blogoscoped

Thursday, December 4, 2008

Locked Picasa Web Albums

Google added an option to their photo gallery app Picasa Web Albums offering you to lock albums. The option is named “Sign-in required to view,” meaning only people you share the album with are meant to access it, after signing in with their Google account. The pictures themselves – like this image from a sign-in album – are still technically public, though the URLs are probably cryptic enough to stop people from simply guessing them (it might still be better to password-protect even the image URL itself).

In the past, Google already offered (and continues to offer) what they call “unlisted” albums, but those were troubled with privacy issues from time to time. For instance, in the beginning you could simply try guessing the album title (say, a title like “Private”) to get to the unlisted album. Recently, Google fixed a vulnerability with how outgoing links were potentially passing on the unlisted album URL’s authentication key to third-party sites due to the referrer field. Also, sometimes sharing just a single photo caused you to potentially share access to the whole album. In fact, this issue remains even for “sign-in” albums: when you select “Share Photo" for a single photo in a sign-in album, the recipient will be able to view your full album.

In other news, Google Picasa software product manager Mike Horowitz has left Google to join Fetch Technologies.

[Hat tip to Brinke, Wonder and Louis Gray!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!