Filed under: Internet, Security, Web services, web 2.0
SmugMug doesn't seem to understand the meaning of privacy
Sure, a password would make the page more secure, but it would also make it more inconvenient for your friends, family, and colleagues to see your vacation photos. But as long as there's no easy way for the general public to find your photos, they're still secure from prying eyes, right?
Maybe not. The problem is that SmugMug gives images a predictable URL string, starting with http://www.smugmug.com/gallery/1000. All you have to do is change the number and you'll start to find photo album after photo album, whether they're market public or private.
As Google Blogoscope's Philipp Lenssen points out, the solution could be as simple as using a random string of characters. But the CEO of SmugMug replied in an email to Lenssen that the system wasn't built for randomized strings, and changing it now would be expensive. And you know what? If most SmugMug users remain blissfully unaware that their "private" images might be publicly accessible then maybe it's not wroth the time and money to fix the flaw. But we kind of think SmugMug and any other company that claims to offer users some level of privacy should really be willing to improve their system when flaws are pointed out.
With Halloween fast approaching, it's a great time to get in some practice defending your territory against zombies. In Graveyard Shift, you take aim at zombies and other creepy-crawlies, blasting them into splatters of cartoony green guts. It's a casual first-person shooter, and it's very easy to get the hang of - use the mouse to aim, click to fire. Graveyard Shift has at least 15 levels, and it might even have some secret stages I haven't unlocked yet.
They key to getting good at Graveyard Shift is learning to use ...
Reader Comments (Page 1 of 1)
kevjohn said 12:48PM on 1-28-2008
That's just sloppy, SmugMug.
I wonder if changing the gallery number to view the different 'private' albums will be considered to be a form of hacking in N. Dakota.
Reply
Erik Anderson said 2:10PM on 1-28-2008
While I agree that this is somewhat sloppy, this type of privacy, even when using random strings, falls into the "security by obscurity" umbrella. If people *really* want their pictures to be private, apply a password.
Reply
Rocketboy said 2:39PM on 1-28-2008
Shades of the MSN Groups Magic Link...
Reply
Barnabas Kendall said 5:12PM on 1-28-2008
I posted a workaround for SmugMug's "problem" in my blog, and it isn't as expensive as the previously proposed solution:
http://barnabas.wordpress.com/2008/01/28/plugging-smugmugs-hole/
They don't have to convert to random characters (or GUIDs), but they should do something. This is a PR disaster waiting to happen, as MySpace recently found out.
Reply
Greg said 1:49PM on 1-30-2008
I agree with KevJohn- this issue does seem sort of sloppy. You would think that with issues like Facebook’s privacy that other sites (competitors even) would tidy up on the privacy settings and even promote a stronger privacy policy. In today’s online world, a solid privacy and security policy could be a huge competitive advantage.
Reply