Tuesday, July 16, 2019

Google Photos Is Making Photos Semi-public

Robert Wiblin (via Hacker News):

Whenever you share a photo with a specific person or account on Google Photos, it creates a link that will allow anyone in the world to view those photos, forever, until you go and manually deactivate that link in an obscure part of the interface.

[…]

If that ‘secret’’ link is ever revealed, anyone anywhere will be able to see it until I go and delete that specific sharing instance. And I’d have no way to find out that they were viewing it!

This is perhaps not surprising if you’ve used Flickr, which works the same way, and even has a way to track visits to the link. But it is surprising from the perspective of Facebook or Google’s own Drive, where sharing with a particular user makes a link only for that user.

Update (2019-07-17): Russell Brandom (via sciwizam):

So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you’d have to work through 10^70 different combinations to get the right one, a problem on an astronomical scale. “There are enough combinations that it’s considered unguessable,” says Aravind Krishnaswamy, an engineering lead on Google Photos. “It’s much harder to guess than your password.” Because web traffic for Photos is encrypted with SSL, it’s also kept secret from anyone on the network who might be listening in.

However, it would be easy for people to listen in if you send the URL to anyone via an unencrypted service such as e-mail.

Comments RSS · Twitter

Leave a Comment