If you are using an Android device you may have configured it to automatically upload photos that you make using the device to Google Plus.
Those photos are not available to the public by default, but only to you. Google notes on a help page that this is the highest level of privacy as the web albums -- read your photos -- are only visible to the user who created them.
You can change the visibility of individual photos so that they become visible by a group of people or the public.
What you probably do not expect is that all your private photos are only protected by random characters but not by access restrictions.
If you find out the folder and file structure, by chance or brute forcing in the wild, you can access private photos of Google Plus users without problem.
Here is the full url structure of the link: https://lh4.googleusercontent.com/-bP0oitsdun0/UJJAJ17wtHI/AAAAAAAAAVY/me-vGaheniI/w636-h477-no/IMG_20121030_194044.jpg
As you can see, quite a few random folders and characters are part of the address.
Note: The random characters used in the file path make it very unlikely that someone would go through length to brute force private photos on Google Plus. Still, since there does not seem to be any restriction in place to prevent direct access to private photos, it is something that you should be aware of if you are using Google's service.
Want an example? Here is a private photo that I have uploaded to Google Plus. You can click on the link to open it in your browser of choice. You do not need to be signed in to a Google account to do so.
Test this yourself
Want to test this yourself to see if your photos are vulnerable? Do this:
Deactivate photo upload
You can disable auto backup of photos that you take using the Google Plus application on your device. Here is how you do so on Android.
Photos on Facebook use the same mechanics. When you upload photos to the social networking site and set them to be visible to "only me", you would expect them to be protected even from lucky guesses or brute forcing.
You can copy any private photo url on the site and open it in another browser that is not linked to your Facebook account, and it works just as good as it does on Google Plus.
The url is reasonably long as well on Facebook, but if you want to make sure that your private photos are indeed this, you should not upload them to the site in first place as anyone with the right url may open them.
Some users may not see this as a problem, as the length of the random characters makes it unlikely that someone successfully brute forces or guesses photo urls. Even if they do, they cannot link the photos to particular users on the site.
Privacy conscious users on the other hand may demand better protection of their private photos on the two social networking sites. (via Caschy)
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.