Philipp Lenssen of Google Blogoscoped created a mini-storm this week when he discovered a major security hole in the way photo-sharing site SmugMug.Com implements its privacy settings for photos people have uploaded to the site. Unfortunately, SmugMug’s reaction so far has been very…well…smug.
People who post photos on SmugMug want to be able to share their photos with friends but not necessarily share them with the entire Internet. Moreover, they don’t necessarily want to have their friends to know a username, password, etc. So SmugMug has a “privacy” setting which doesn’t require a password but does require someone to have the exact URL to the photo being shared.
This is not a bad idea, especially if done with a Globally Unique Identifier. With a GUID, each photo would have an arbitrary identifier in the URL that would be very difficult to guess or brute force. But, as SmugMug’s CEO confesses, they didn’t know what GUIDs were when they first started SmugMug, so they didn’t use them.
Instead, SmugMug uses the incredibly stupid system of simply starting at 1 and incrementing up for all its photos and galleries in the form
http://smugmug.com/gallery/1000
http://smugmug.com/gallery/1001
…meaning it is trivial to write a script to crawl the site and easily view any and all “private” photos on the site. According to Jensen, there are other security problems that make it possible to view even some password-protected photos and galleries at SmugMug.com
SmugMug’s response is basically a) users of SmugMug aren’t complaining yet, b) implementing GUIDs would be expensive at this point, and c) using this method you can’t get at specific photos.
I’m not surprised that SmugMug users aren’t complaining yet, but I wonder how happy they’d be if they knew that, say, that “private” photo taken in a hotel room posing with lingerie is easily downloadable by anyone with enough patience (and most users seem to have their names on their galleries, so it wouldn’t be too difficult to download all of John Doe’s embarrassing pictures and then post them elsewhere on the Internet and associate the pictures with the individual who posted them). And all this from a site that trumpets it is “Safe and secure” on its front page pitch.
Definitely a service to avoid.