Private Galleries can be accessed at Smugmug - gHacks Tech News

Private Galleries can be accessed at Smugmug

If you would use an image host, put up some of your images and set them to private, would you expect them to be still accessible by anyone ? This is apparently the case over at Smugmug where a private setting simply means that the pictures and image galleries are not directly linked from the homepage anymore but can still be accessed by simply entering the url directly in the browser address bar or download manager.

The real problem arises because files are named sequentially at Smugmug which means that anyone with just a little bit of technical knowledge will be able to download all images from all galleries set to public and private. The only galleries that are not accessible are the password protected ones obviously.

The urls for the galleries can be accessed by opening a url starting with http://www.smugmug.com/gallery/*, for example http://www.smugmug.com/gallery/1000, http://www.smugmug.com/gallery/1001 in your browser. Pictures can be accessed directly by loading http://www.smugmug.com/photos/*-M.jpg in your browser where * is a number between 1 and x. So, everyone can access pictures like http://www.smugmug.com/photos/1000-M.jpg, http://www.smugmug.com/photos/10001-M.jpg and so on.

Google Blogoscope who discovered this loophole contacted Smugmug and received a reply that was not that satisfactory. According to CEO Don MacAskill this is the intended way it should work:

First of all, we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).

At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Ally said on August 3, 2008 at 11:22 pm
      Reply

      I have to say that this is very true!
      I tried once to see if my daughters pics were available on the net to test the “Privacy” of my albums on a famous photo sharing site … it was not a surprise when I found out that anyone could have access to them, this is why I decided to look for an alternative to share with my family some pictures. I just discovered the photo sharing site Joomeo (http://www.joomeo.com), and I am pretty much convinced that my photos will be a lot safer with this service than with the giants of the sharing business

    2. Mariah said on July 8, 2011 at 7:57 am
      Reply

      I still don’t understand how to do this. I tried to do what you said but was unsuccessful.

    3. Lisa said on July 10, 2011 at 4:51 am
      Reply

      I actually like this feature. This allows me to display galleries on my smugmug site that I would like customers to see and it also allows me to link to pictures of personal galleries on my blog site. You can only have so many pictures on WordPress before you reach you data limit and will need to pay. If you have an unlimited account with smugmug,then you don’t have to worry about this. If you don’t want someone to get in a particular gallery you should password protect it.

    4. art said on October 2, 2013 at 3:12 pm
      Reply

      I know I’m late. But I don’t see how this is a loop hole. If a person doesn’t know the gallery exist, how can they access it? Now if you mean a person is just snooping around trying to figure out if people have private files, That’s something else. But again, how is this considered a loop hole. You want it private and secure add a password.

    5. Jeff said on January 3, 2016 at 2:35 am
      Reply

      It’s actually *worse* than this. You can “password protect” galleries on your smugmug site all you want, and it only protects the URL…. if you know the URL of the image, and NOT the password you can still see the image. They know about this but aren’t concerned as they have now randomized the URL.

      You can test this yourself. PW protect a gallery. Look at an image in your gallery, right click, copy link of the image.

      Then open a DIFFERENT browser… and paste that URL in… it will work.

      In my opinion, if something is password protected, it should require a password to see!

    6. Anonymous said on October 22, 2016 at 11:54 am
      Reply

      This loophole seems to have been fixed.

    Leave a Reply