Private Photos on Google+ and Facebook are only protected by random characters

If you are using an Android device you may have configured it to automatically upload photos that you make using the device to Google Plus.

Those photos are not available to the public by default, but only to you. Google notes on a help page that this is the highest level of privacy as the web albums -- read your photos -- are only visible to the user who created them.

You can change the visibility of individual photos so that they become visible by a group of people or the public.

What you probably do not expect is that all your private photos are only protected by random characters but not by access restrictions.

If you find out the folder and file structure, by chance or brute forcing in the wild, you can access private photos of Google Plus users without problem.

private photo Google Plus url

Here is the full url structure of the link: https://lh4.googleusercontent.com/-bP0oitsdun0/UJJAJ17wtHI/AAAAAAAAAVY/me-vGaheniI/w636-h477-no/IMG_20121030_194044.jpg

As you can see, quite a few random folders and characters are part of the address.

Note:  The random characters used in the file path make it very unlikely that someone would go through length to brute force private photos on Google Plus. Still, since there does not seem to be any restriction in place to prevent direct access to private photos, it is something that you should be aware of if you are using Google's service.

Want an example? Here is a private photo that I have uploaded to Google Plus. You can click on the link to open it in your browser of choice. You do not need to be signed in to a Google account to do so.

Test this yourself

copy private image url

Want to test this yourself to see if your photos are vulnerable? Do this:

  1. Open the photos browser on Google Plus.
  2. Locate a photo that you have not shared with anyone on this page or create a new one by uploading one to the service.
  3. If you use Firefox, right-click on the image and select "copy image location".
  4. If you use Google Chrome, right-click on the image and select "copy image url".
  5. If you use Opera 15+, right-click on the image and select "copy image address".
  6. If you use Internet Explorer, right-click on the image and select "copy".
  7. Paste the information in a different browser, or in a private browsing window. The image should load just fine, even if you are not signed in to your Google account.

Deactivate photo upload

turn off auto backup

You can disable auto backup of photos that you take using the Google Plus application on your device. Here is how you do so on Android.

  1. Open the Google+ app on the device.
  2. Tap on the settings icon in the top right corner and select settings from the menu.
  3. Tap on Auto Backup on the next page.
  4. Switch Auto Backup from On to Off at the top.

Facebook

Photos on Facebook use the same mechanics. When you upload photos to the social networking site and set them to be visible to "only me", you would expect them to be protected even from lucky guesses or brute forcing.

You can copy any private photo url on the site and open it in another browser that is not linked to your Facebook account, and it works just as good as it does on Google Plus.

The url is reasonably long as well on Facebook, but if you want to make sure that your private photos are indeed this, you should not upload them to the site in first place as anyone with the right url may open them.

Closing Words

Some users may not see this as a problem, as the length of the random characters makes it unlikely that someone successfully brute forces or guesses photo urls. Even if they do, they cannot link the photos to particular users on the site.

Privacy conscious users on the other hand may demand better protection of their private photos on the two social networking sites. (via Caschy)

Please share this article

facebooktwittergoogle_plusredditlinkedinmail


Responses to Private Photos on Google+ and Facebook are only protected by random characters

  1. Leonardo April 11, 2014 at 7:40 pm #

    The photos are just invisible and unprotected for others who do not have the direct link. The user is free to share your photos with direct links.

  2. Pants April 11, 2014 at 8:03 pm #

    That's disgusting - any IT professional would expect and demand permissions to be enforced (like policies in Windows). I would expect at least 1. At least a required login (audit anyone?) and 2. Godamn permissions to be enforced. I for one have never uploaded any personal images to any social media site, never will.

    While the random string is rather long, it still reminds me of fusking ( https://en.wikipedia.org/wiki/Fusker ) which has been around since .. well, before I wore Pants. It created a stink back then and they still haven't learnt.

  3. Mike April 12, 2014 at 4:32 pm #

    The "random characters" in the URL are much longer than the average password length. It would make more sense to write an exposé article about how user accounts are protected only with "random characters."

    • Bobby Phoenix April 13, 2014 at 3:17 am #

      This^^^ A lot of places that require a password say it must be between 6 and 18 characters. Some even less than 18. I always use random characters, so my passwords are way less secure than one of these. How ironic. I want a password as longs as these!

  4. Cats April 12, 2014 at 5:07 pm #

    Some security researcher brute-forced a rivals "protected" FB photo's by exploiting this method - polling the cdn.
    I'm pretty sure the same trick can be pulled-off today - with time and motivation. Why anyone would cloud their private-life to some remote location, is beyond me, however.

  5. ben April 14, 2014 at 6:26 am #

    I couldn't access it.. possible it's been fixed?

    http://imgur.com/gorW7DM

    • Martin Brinkmann April 14, 2014 at 8:32 am #

      This looks more like an api error. I just tried it with another photo and it still works. Try it with one of your photos. Just upload a photo and make sure you do not share it.

Leave a Reply