Photo hosting site SmugMug apparently has a huge security hole which allows anyone to easily access other users’ photos which have been marked as “private,” reports Google Blogoscoped. What’s worse, the folks at SmugMug are aware of the issue, but claim this is intended behavior, separating the notions of “privacy” and “security.”
In a nutshell, the problem is this: if you set your photos as “private”, they can still be accessed simply by URL manipulation; for example, I randomly typed in this URL “http://www.smugmug.com/gallery/1021″ in my browser and got someone’s gallery that, perhaps, was not intended for the whole world to see. It is possible to prevent this behavior by setting a special password for your image/gallery, but how many people understand this?
Here’s an excerpt from SmugMug’s CEO Don MacAskill’s long conversation with Google Blogoscoped:
“…we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).
At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question.
The problem here, of course, is the fact that most people don’t care about semantics in cases such as this; if they set a photo to “private,” most of them probably expect that no one else can see this photo, period. A similar discussion arose recently when it was discovered that Google Reader shares your “shared” items with everyone in your Gmail account, but this is a far worse problem, because private photos are at stake. As usual, it will probably just take some media attention (such as this article) for the folks at SmugMug to get to their senses, but why does it always have to be so?
No comments:
Post a Comment