Private Photos on Google+ and Facebook are only protected by random characters
If you are using an Android device you may have configured it to automatically upload photos that you make using the device to Google Plus.
Those photos are not available to the public by default, but only to you. Google notes on a help page that this is the highest level of privacy as the web albums -- read your photos -- are only visible to the user who created them.
You can change the visibility of individual photos so that they become visible by a group of people or the public.
What you probably do not expect is that all your private photos are only protected by random characters but not by access restrictions.
If you find out the folder and file structure, by chance or brute forcing in the wild, you can access private photos of Google Plus users without problem.
Here is the full url structure of the link: https://lh4.googleusercontent.com/-bP0oitsdun0/UJJAJ17wtHI/AAAAAAAAAVY/me-vGaheniI/w636-h477-no/IMG_20121030_194044.jpg
As you can see, quite a few random folders and characters are part of the address.
Note:Â The random characters used in the file path make it very unlikely that someone would go through length to brute force private photos on Google Plus. Still, since there does not seem to be any restriction in place to prevent direct access to private photos, it is something that you should be aware of if you are using Google's service.
Want an example? Here is a private photo that I have uploaded to Google Plus. You can click on the link to open it in your browser of choice. You do not need to be signed in to a Google account to do so.
Test this yourself
Want to test this yourself to see if your photos are vulnerable? Do this:
- Open the photos browser on Google Plus.
- Locate a photo that you have not shared with anyone on this page or create a new one by uploading one to the service.
- If you use Firefox, right-click on the image and select "copy image location".
- If you use Google Chrome, right-click on the image and select "copy image url".
- If you use Opera 15+, right-click on the image and select "copy image address".
- If you use Internet Explorer, right-click on the image and select "copy".
- Paste the information in a different browser, or in a private browsing window. The image should load just fine, even if you are not signed in to your Google account.
Deactivate photo upload
You can disable auto backup of photos that you take using the Google Plus application on your device. Here is how you do so on Android.
- Open the Google+ app on the device.
- Tap on the settings icon in the top right corner and select settings from the menu.
- Tap on Auto Backup on the next page.
- Switch Auto Backup from On to Off at the top.
Photos on Facebook use the same mechanics. When you upload photos to the social networking site and set them to be visible to "only me", you would expect them to be protected even from lucky guesses or brute forcing.
You can copy any private photo url on the site and open it in another browser that is not linked to your Facebook account, and it works just as good as it does on Google Plus.
The url is reasonably long as well on Facebook, but if you want to make sure that your private photos are indeed this, you should not upload them to the site in first place as anyone with the right url may open them.
Closing Words
Some users may not see this as a problem, as the length of the random characters makes it unlikely that someone successfully brute forces or guesses photo urls. Even if they do, they cannot link the photos to particular users on the site.
Privacy conscious users on the other hand may demand better protection of their private photos on the two social networking sites. (via Caschy)
Advertisement
Being sure that no one will guess the URL at random, Google engineers are free to give significantly more freedom to anyone who has the URL. As RossFletch documented, you can access that same photo from another computer or another continent. You can give it to a friend or pull it through an automated scraper, and it will load just the same. For Google, that’s a feature. Maybe you’d like to share the photo with a friend who doesn’t have a Google account, or build an automated system to pull the photo onto another system. So why does it feel more like a hack than a feature? When Reddit stumbled onto the URLs, the group assumed they’d found something unauthorized, a hole Google had neglected to plug up. For the most part, it’s because there was no clear sign of permission from Photos. The web is littered with “Share This” buttons, so it’s strange to find a way to pull down a photo without one. Those buttons usually also lock you in a particular network, whether it’s Facebook, Flickr, or even an all-purpose site like Tumblr. Even if you share more than you meant to, it’s still theoretically confined to other people using the same service, or more specific channels like an email address or local file.
the man is great
I couldn’t access it.. possible it’s been fixed?
http://imgur.com/gorW7DM
This looks more like an api error. I just tried it with another photo and it still works. Try it with one of your photos. Just upload a photo and make sure you do not share it.
Some security researcher brute-forced a rivals “protected” FB photo’s by exploiting this method – polling the cdn.
I’m pretty sure the same trick can be pulled-off today – with time and motivation. Why anyone would cloud their private-life to some remote location, is beyond me, however.
The “random characters” in the URL are much longer than the average password length. It would make more sense to write an exposé article about how user accounts are protected only with “random characters.”
This^^^ A lot of places that require a password say it must be between 6 and 18 characters. Some even less than 18. I always use random characters, so my passwords are way less secure than one of these. How ironic. I want a password as longs as these!
That’s disgusting – any IT professional would expect and demand permissions to be enforced (like policies in Windows). I would expect at least 1. At least a required login (audit anyone?) and 2. Godamn permissions to be enforced. I for one have never uploaded any personal images to any social media site, never will.
While the random string is rather long, it still reminds me of fusking ( https://en.wikipedia.org/wiki/Fusker ) which has been around since .. well, before I wore Pants. It created a stink back then and they still haven’t learnt.
The photos are just invisible and unprotected for others who do not have the direct link. The user is free to share your photos with direct links.