Your private photos are still private.
Wow, first time I’ve slept in since our baby was born (Oct 30th, 2007), and this is what I wake up to. Guess I need to stop slacking. 🙂
First, a chance to strike it rich: I’ll give $1,000 $599.99 USD (stupid taxes) to anyone who can get a copy of this photo, or tell me which gallery or account it belongs to. To get paid, you must privately email your findings to SmugMug, including details of how you obtained it such that we can reproduce your success. And of course, I’m not using any tricks not available to our customers. Only the first person to expose a given exploit gets the bounty. Multiple reasonably different exploits? Multiple bounties.
Next, a couple of quick bullet points before we get into the meat of the situation, and then I’ll post the full emails to Philipp after the jump so you can read the un-edited versions for yourself:
- Your private photos are still private. Your secure photos are still secure. Note that there is a difference – this is an important distinction.
- If you have security settings applied to your site, galleries, or photos, no-one can see them. They’re impregnable. The sky is not falling, your photos are safe.
- Philipp Lenssen did us the courtesy of investigating the situation, contacting us, and following up – like any true journalist. I appreciate that. I wish, however, that the rest of the blogosphere, especially those that have taken Philipp’s facts and extrapolated them into some other fantasy world, had done the same. Shame on them. I know it’s always fun to join a witch hunt, but still…
- When people tell us stuff, like Philipp has done this morning, we listen. It may take us awhile to internalize it and act upon it, but I assure you, we’re listening.
- While Philipp and I don’t see eye-to-eye on this issue, he did indirectly bring a privacy hole to my attention, which has now been fixed. More on that later.
- “Locking down” your photos (privacy *and* security) is too complicated with our current UI. We need to do something about that. Count on us to do so.
- Interestingly, Philipp seems to have stolen an image from iStockPhoto and uploaded it to SmugMug as his example image. Kinda ironic, no?
Our customers have long known that we take privacy and security very seriously, and we offer a veritable army of options and settings to protect your photos. Since everyone views security and privacy a little differently than everyone else, we discovered early on that a “one size fits all” setting just doesn’t make sense. Instead, we settled on a lots of knobs and dials so that you, the owner of the photos, can determine exactly who can see your photos and in what context. You can literally lock down your entire SmugMug site, a gallery, or a photo – and anything in between. You can mix and match, and “dial in”, whatever privacy and security settings you’d like, wherever you’d like.
Every setting we have is a direct result of a customer (or lots of customers) asking us for them, and especially people like Philipp who shine a bright light on any deficiencies we may have. I believe we have the very best security and privacy options in our industry – but that doesn’t mean we can’t do better.
Now, on to privacy. The feature is working as intended, and indeed, is working exactly like thousands and thousands of our customers have asked us to make it work. You can read in the blogoscoped comments thread where our customers are insisting to Philipp that the feature is designed exactly the way they’d like, and we agree.
To us, privacy and security are two separate, but related, issues. One analogy we use often is that security is like locking your front door and arming your alarm (no-one can get in without a key), and privacy is like closing your window blinds (no-one can look in from the outside, but you can tell people where you live and they can visit without a key). Another analogy our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.
When you set your SmugMug gallery to ‘private’, this is exactly what you’re doing – making the gallery and photos difficult, but not impossible, to find. It’s intentionally easy to share with your friends and family via email, IM, in a blog or forum post, etc. No password, login, or any other messy security measure in place to make it difficult to share – just a URL. Only people you’ve shared this URL with can find those photos – with one exception I’ll get to in a minute. Our customers love this feature, and have worked with us over the years to specifically design it this way.
Now, there is one exception, and this is the crux of Philipp’s blog post: you can, in theory, guess the URL and view the photos. This is absolutely true, but let’s remember two things:
- It’s difficult to guess a photo from among a sample size nearly 250,000,000 strong.
- We offer *lots* of additional options to make this impossible should you want to. This is key – we let you “dial in” the level of privacy and security you want, and this single, lone setting is just the tip of iceberg.
Philipp is absolutely right, guessing a photo from among 250,000,000 is easier than guessing a photo from a GUID. It’s still very difficult. I wish I’d done GUIDs when we first started, but to be honest, I just didn’t know what they were. That’s my fault. As I explained to Philipp, we’re willing to overhaul our system to use GUIDs – a very expensive proposition – except that no-one has ever asked for them, to my knowledge, in the 5 years we’ve been in business. Again, most of our customers appreciate that the privacy setting works the way it does, and appreciate that they have lots of additional privacy and security precautions they can take. Try winning the $1000 yourself, if you don’t believe me. 🙂
In conclusion, you, as the customer, have full control over exactly who can view your photos, as you have always had. We can clearly make some improvements to our UI to make it more obvious what’s going on, and especially to make it easier to “Lock it down”. We’re also willing to move to GUIDs if our customers ask us, just like we’re willing to do almost anything our customers ask us to. Please do let us know.
After the jump, the full emails I sent to Philipp, un-edited, and some details about the privacy hole I plugged this weekend, thanks in part to Philipp’s investigation.
First email:
Hi Philipp,
I’m the CEO & Chief Geek at SmugMug, and I’m terribly sorry this is so confusing. Security & privacy are huge issues here at SmugMug, and we take them very seriously. Let me see if I can explain how things work and you can fill me in where we’re wrong:
First of all, we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).
At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question. Our customers love this feature, and have worked with us over the years to specifically design it this way.
Now, as you’ve pointed out, there is one possible loophole: they might be able to guess or even brute force crawl for the URL.
I’m in completely agreement, that GUIDs would help greatly here, but I’m afraid our system wasn’t built for GUIDs, and retrofitting our code and database to support GUIDs would be an extremely expensive proposition. Not that we’re not willing to do it – we would certainly consider it – but yours is the first request I’ve see in years to do so.
And the reason is simple – guessing a photo, or even a set of photos, from among 247,000,000+ photos is incredibly difficult. Even when you’re uploading a batch of photos to your own gallery, the likelihood of all of your photos being “in order” is very rare – there are just so many photos coming in every minute. A year from now, we’ll likely have over 500,000,000 photos, so the problem gets even less critical, in my opinion. That’s really the only thing a GUID solution would do, too – guessing would become astronomically difficult. Well, we’re not astronomically difficult, but we are very difficult – and getting more difficult every day.
But since guessing is a possibility (I consider brute forcing to be a near impossibility – crawling 250M photos in an automated way with image analysis to locate something specific is basically impossible), we have lots more features that fall into the Security category. It’s easily possible with our settings to completely eliminate this “hole” (again, I want to stress that while I wish we’d used GUIDs from the beginning, we really don’t consider this to be a security hole). Setting a password and disabling external links will make your images uncrawlable and unguessable. Many of our customers do – but those that choose not to are likely doing it because they don’t want this level of security.
I’m happy to go into all the privacy and security controls and permutations, if you’d like. There are many, and your site basically can become totally impregnable. What’s more, the settings can be applied to images themselves, or galleries, or your entire account – or mixed and matched however you’d like.
You are, of course, free to blog about our settings – we’re very open about them and what the tradeoffs for the various options are. In fact, if you let me know about it, I’m likely to link to it from my blog. We’re also very open to change – nearly every feature, bug fix, and enhancement is driven by customer feedback, like yours. If our customers (or potential customers) asked us to adopt GUIDs because this was a bigger issue than we were aware – we would.
I think this email has brought up one more thing we can do better with regards to private images, though. I’m gonna do a little research and make sure it’ll work, so I may be in touch in a few days with a follow-up if you don’t mind.
Thank you so much for letting us know about this. I promise I’ll take it into consideration whenever we’re discussing the issue in the future.
And thanks, especially, for giving us a shot and caring enough to write. It’s that kind of passion we prize above all else in our customers.
Don MacAskill
CEO & Chief Geek
SmugMug
Second email:
Hi Philipp,
Yep, I am, and the same things apply – our security features completely prevent this, should you care or want to, but our privacy features work as designed – they make it difficult, but not impossible, to find galleries.
One common analogy I hear our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.
Private galleries (rather than protected ones) are the same way. And they’re that way because thousands and thousands of our customers have asked us, in great detail, to make them that way.
In fact, we even have a setting that enables you to specifically hide the fact that you own a particular gallery, so even if someone “guesses” your gallery (that you’ve chosen not to protect), they can’t find out who owns it or follow a trail back to your homepage.
Again, we think the key to the privacy & security solution is flexibility. Everyone has different ideas about what privacy and security online means, and how much is too much. So rather than providing a single solution that only serves a fraction of our user base, either too secure or not secure enough, we’ve built a solution with lots of gradients for both privacy and security – so you can dial your own.
I believe we offer enough flexibility that we serve nearly everyone, but we continue to enhance our offering, add features, and fix bugs as they’re brought up to us.
Hope that helps, and thanks again for your interest. I’m a big fan of your blog, so I’m definitely interested in your thoughts.
Don MacAskill
CEO & Chief Geek
SmugMug
Philipp Lenssen wrote:
> Hi Don,
>
> Thanks for your explanation. Just to clarify: are you aware that
> gallery IDs can be iterated just the same as image IDs and thus, one
> can easily crawl all your galleries and filter to just those set to be
> private? With gallery ID, I’m referring to e.g.
> http://www.smugmug.com/gallery/4220006
>
> cheers
> Philipp
And the privacy hole:
Hi Philipp,
Your email to me got me thinking about how I redirect in the event that a hostname doesn’t match.
If you try to fetch a URL from cmac.smugmug.com that actually belongs to don.smugmug.com, we do a 304 redirect to don.smugmug.com before serving it. The intent is that we don’t want someone to “spoof” that a photo actually belongs to one user, rather than another.
In 5 years, stupid me, it never occurred to me that you could use that same functionality to actually find out who’s account a photo belongs to. Your email opened my eyes, and that hole is now fixed.
Good intent, poor implementation. Now we have both.
Thanks!
Don
SmugMug's Don MacAskill 
FWIW, I’ve been a customer for almost two years, and I’m very happy with the way the privacy and security settings work. More options (and harder to guess URLs) would always be nice, but it’s pretty low on my personal Smugmug feature wishlist…
Regarding the $1000 photo – am I on drugs or is the image empty / blank / removed? Sorry, I don’t understand the point.
Challenge kind of solved. Email on its way.
Thanks for clarifying your side of the issue Don. This is just a note that co-editor Tony Ruscoe and I both independently just solved the contest question (no, we don’t want the money), but I would like to emphasize that this contest question is about a different issue. As the Blogoscoped post said, the issue we discussed earlier is about galleries set to be private, not galleries set to be password-protected, and the point remains that those private galleries can be crawled publicly en masse using something simple as a Firefox download manager.
I clearly see both sides of this issue. My knee-jerk reaction upon reading Phillip’s post was one of shock and a tad bit of outrage. However, after reading your reasoning, particularly the telephone number analogy, it makes perfect sense and I think is the best solution. I totally agree that privacy and security are two completely separate issues, and should be addressed individually.
As far as switching to GUIDs? Meh. Yes, it adds a bit more obfuscation to the URL, but at what cost? GUIDs are tacky and cumbersome when visible to an end-user. I love SmugMug for it’s simplicity and elegance. I’d much rather give people a legible URL than some abomination that I’d probably have to pass through TinyURL before giving it to someone.
About the privacy fix… it doesn’t fix anything. One can still figure out the gallery owner by looking at the page contents.
Dave – not sure what you mean here “However, after reading your reasoning, particularly the telephone number analogy, it makes perfect sense ”
would you care to clarify ?
I give you a lot of credit for tackling the issue head on. Often, crisis management can be the most challenging and difficult to win the day but you handled it well. Hopefully, you can get another good night’s sleep!
Mark
I found several XSS vulnerabilities on your site (starts from the signup page). You will probably want to take a look at them.
I think you could end up being okay here so long as you made it very clear when people can specify “private” that they know that their pictures are basically leaked onto the Internet.
When I think “private”, I personally do not think “leaked onto the Internet” for the world to see.
Example scenario:
* a scr1pt kiddie group, let’s say, called Anonymous, writes a script to pilfer a good chunk of your 250 million photos (maybe using proxy servers & the like to download all of them)
* they then setup a distributed website to let people go through them by hand & identify “incriminating photos”, let’s say 1% of the total pilfered.
They then package these into a .torrent and upload it to The Pirate Bay.
All of a sudden Bob & Susie’s private erotic bedtime / beach “private” photos have been downloaded 50k times by Interweb geeks, archived for eternity for the entire Internets to see.
Sound like a stretch? 576,000 “private” MySpace photos (not all of them were really private, but still):
http://thepiratebay.org/tor/3985864/%5Btribalwar.com%5D_567_000_private_myspace_pictures
I just wanted to say that I have been a user of smugmug for over 3 years and I love it. I particularly love the various options for my galleries and photos it is one of the main reasons I choose smugmug when looking for a place for my photos. I have always felt the explainations have been there and in simple terms for even the non-techy users. Ultimately, if a user has private photos they dont want seen at all and wants to use smugmug, they SHOULD be aware of all the settings available and if they want those photos to stay completely hidden, they should use a password and many of the other options.
I just wanted to say I am very happy with the privacy/security options and one of the best features of smugmug IS the options for different levels based on your mixed needs as a user. Thank you.
First off, job well done on the communication. Many companies would have ignored the Philip and his post, but you’ve done a great job of being open about it. It’s comforting to know that you’re actually listening and responsive.
Honestly, I don’t see what Philip is complaining about. The feature seems to me to be quite clearly described in both the on-screen blurb and the popup help text. I can’t understand how he made the jump from “don’t show this gallery on my homepage” to “nobody can ever see these pictures”.
That said, it might be worth changing the title just to make it a smidge clearer. I like your phone number analogy, maybe you could call the option “unlisted”?
Don,
I appreciate the post, but I think there are a couple of problems.
The first one is that private is too generic of a term, and – at least the last time I looked at it – there wasn’t a good description of what all the various options mean wrt privacy. So, if that’s not there, a “how to protect your photos” doc would be helpful.
Second, I don’t think your tone works well. Nothing is impregnable, and I think talking about it just makes you look silly. And frankly, any mention of “thousands and thousands” of customers is pure marketing-speak, and doesn’t belong in this sort of post. Nor does the petty jab at Phil on the last bullet point.
Finally, it’s not clear to me that you had Phil’s permission to publish the emails.
Don, we just emailed you the full content of that contest image, but again we believe the issues are different ones and not this contest (and again we don’t want any money). Thanks.
@Philipp:
Actually, you mailed me partial content of the contest image. You’re missing a few million pixels. 🙂
That being said, I consider the hole(s) in question to be serious, so I look forward to your email with details so I can fix them properly.
At 600×450 pixels, that pic we found was quite large enough to make out everything in it, and would not have shielded anything anyone would want to keep private. (But as we don’t want the contest money anyway, nor do we think the contest is the core issue, this doesn’t matter.)
We also added an update to the Blogoscoped post you link to, reporting how even photos set to private + password-protected + external-linking-disabled and what-not can be publicly viewed, using a certain different approach we emailed you about (again including the ability to mass-crawl such photos as they don’t use something like GUIDs).
With all due respect, I don’t think challenging someone to retrieve details with a single JPG to be all that representative of the core issue here, that being the privacy of the application itself. How dose a single image represent the overall application, its architecture, security measures and practices, et al?
The competition is almost like a Red Herring.
With the public option for albums it makes sense that if you have a direct link its still accessible for anyone… but I don’t think it should be labeled as “private”, and I think there should be an option for truly private albums that are only accessible when logged in with the main account.
The fact that there are holes that allow even password protected albums to be accessed without the password is also concerning.
That being said, those are concerns, and the biggest ones I have for using SmugMug, but I believe these are manageable problems that the company can get fixed soon. I’m just going to keep a closer eye on it now.
I would also feel more comfortable if image ids were using GUIDs because then if a problem of similar degree arises in the future the GUIDs considerably limit the extent of the problem. I would be interested to explore the idea of using GUIDs and what other possibly negative effects it would have on things. Maybe there could be a post discussing the implications of using GUIDs?
I too am happy with my SmugMug account, but clearly they need to be more up front on what their privacy means. I am surprised the breaking of this story hasn’t provoked more action or public announcements from them
I complained about this problem almost a year ago and got the same basic response: we don’t think this is a problem. I thought it was problem then and I still do now. The fact that private pictures can be found simply by iterating over URLs points to a weak implementation; there is no good reason for allowing this.
I ask again, SmugMug, that you please fix this.
(BTW, I also reported the problem about being able to determine the owner of an account. By iterating over URLs, I found a set of private pictures from a January 2003 vacation in Tenerife and I gave SmugMug the names of the owners. I am glad that you finally fixed this but I am disappointed that it took you so long.)
— Jeff
@Jeff Dean
“The fact that private pictures can be found simply by iterating over URLs points to a weak implementation”
Disagree — the problem is not the implementation, it’s the name. If they called them unlisted, it would be clear what they meant. For example, “unlisted” phone numbers can be found simply by iterating over phone numbers. This is not a weak implementation, it’s just what unlisted means — not listed in a directory.
grrrrrrrrrrrrrrrrr
I found this informative and interesting blog so i think so its very useful and knowledge able.I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me.
Love it! You got me so excited to get one and start shooting video!