Filed under: Internet, Security, Web services, web 2.0
SmugMug doesn't seem to understand the meaning of privacy
Sure, a password would make the page more secure, but it would also make it more inconvenient for your friends, family, and colleagues to see your vacation photos. But as long as there's no easy way for the general public to find your photos, they're still secure from prying eyes, right?
Maybe not. The problem is that SmugMug gives images a predictable URL string, starting with http://www.smugmug.com/gallery/1000. All you have to do is change the number and you'll start to find photo album after photo album, whether they're market public or private.
As Google Blogoscope's Philipp Lenssen points out, the solution could be as simple as using a random string of characters. But the CEO of SmugMug replied in an email to Lenssen that the system wasn't built for randomized strings, and changing it now would be expensive. And you know what? If most SmugMug users remain blissfully unaware that their "private" images might be publicly accessible then maybe it's not wroth the time and money to fix the flaw. But we kind of think SmugMug and any other company that claims to offer users some level of privacy should really be willing to improve their system when flaws are pointed out.
So, just how good at time waster games are you? Think you've got the stuff? Well, The World's Hardest Game 2.0 doesn't think you do.
Yes, amazingly, it's possible to have a sequel to a game called "The World's Hardest Game". It doesn't seem logically possible, since if the first one was actually the world's hardest, how could another one come along and share the moniker? It made me doubt the name in the first place. That is, until I tried the game.
The mechanics of the game are very simple. You are a small red square, ...
Reader Comments (Page 1 of 1)
kevjohn said 12:48PM on 1-28-2008
That's just sloppy, SmugMug.
I wonder if changing the gallery number to view the different 'private' albums will be considered to be a form of hacking in N. Dakota.
Reply
Erik Anderson said 2:10PM on 1-28-2008
While I agree that this is somewhat sloppy, this type of privacy, even when using random strings, falls into the "security by obscurity" umbrella. If people *really* want their pictures to be private, apply a password.
Reply
Rocketboy said 2:39PM on 1-28-2008
Shades of the MSN Groups Magic Link...
Reply
Barnabas Kendall said 5:12PM on 1-28-2008
I posted a workaround for SmugMug's "problem" in my blog, and it isn't as expensive as the previously proposed solution:
http://barnabas.wordpress.com/2008/01/28/plugging-smugmugs-hole/
They don't have to convert to random characters (or GUIDs), but they should do something. This is a PR disaster waiting to happen, as MySpace recently found out.
Reply
Greg said 1:49PM on 1-30-2008
I agree with KevJohn- this issue does seem sort of sloppy. You would think that with issues like Facebook’s privacy that other sites (competitors even) would tidy up on the privacy settings and even promote a stronger privacy policy. In today’s online world, a solid privacy and security policy could be a huge competitive advantage.
Reply