"The only security measure is that the album link is hard to guess. It was pointed out that this link is really HARD to guess. It does not need to be guessed. All it would take for some strangers to get access to my private photos, is for one of my relatives to share this link by mistake."
FWIW, whenever I share sensitive documents on drive, I do so via a shareable link. I figured if I trust someone not to download the file and share it as an attachment, then I trust that person to not share the url publicly as well.
One distinction though, is that URLs are much easier to steal, as compared to login info. People often don't make an effort to hide their browser URL when using their laptop in a public location, nor do they clear their history when using a shared computer. In theory, someone determined can use these vulnerabilities to steal a URL address.
In practice, the above threat-model seems obscure and unlikely enough, that for a social service like Google photos, what Google has seems reasonable enough. I can understand the author's surprise, but I can also understand Google's policy here.
It reminds me of the old way Chrome didn't hide saved passwords. It made sense under the threat model they had for the feature, but it wasn't the security model end users expected would be the default.
A simple UI fix would be to explicitly call the sharing mode "unlisted" like some other sites do including Youtube, with a similar warning about linking to the content.
I think what's going on, and may no be well communicated, is that by default when you share, you get sharing via the link. The benefit is that anyone who wants to see the photos can do so without having to have a Google account, let alone be signed in.
It's trying to achieve privacy by obscurity, and I'm assuming that Google has robots / etc configured so that no search engine could crawl the shared album URLs.
That said, I do agree that this should be communicated better. Personally, I like this feature because some of my friends are fiercely anti-Google and this still allows me to share photos with them seamlessly. The alternative suggested by the author (i.e., upload to Drive then share) is less seamless and for me, not worth the additional privacy gain. (The photos I truly want private are not shared at all, and I try to delete them from the cloud asap).
> "Personally, I like this feature because some of my friends are fiercely anti-Google and this still allows me to share photos with them seamlessly."
I am fiercely anti-Google and I wouldn't touch a Google link for any reason, even if a friend sent it. If it's so important you need me to see it right away, send it via Telegram or MMS.
That said, I don't think this is malicious on Google's part, it's just lazy. Allowing sharing of private content is difficult to get right, but if Dropbox can do it I know Google can. Hell, they are smart enough to do it better, which is why this screams laziness or just a plain "we don't care" attitude.
First, either is more secure than clicking a random HTTP link from Google.
Second, the author was speaking of sharing a random photo with a friend, not national security secrets. I don't want Google seeing what I see, and using a third party messenger or a carrier service like MMS accomplishes this. If I need it to be encrypted, I'll use an encrypted service, but I wasn't talking about that and you're moving the goalposts to make what point exactly?
This seems like a lot of scaremongering. You have to balance a good UX with good security, and Google has done just that. If shared photos require a 10-step process for Grandpa to see them, he’ll never see them and you’ll be angry that Google photos let you down.
I think this is a fairly standard practice. This is exactly how shared links on Dropbox, Box, Mega, Imgur, etc. work. You can think of the URL as one long, and extremely hard to guess password.
Completely agree that Google Photos (and the other data hosting services) could provide warnings to those new to this method of sharing — I wouldn't expect my grandma to simply know this.
Google Drive creates a proxy link that makes sure that user actually has the proper privileges to access the content, before doing the redirect.
This can be seen by inspecting image link in Google Drive.
I was simply expecting to see the same behavior with Google Photos. As you said, at the very least it would be nice to see a warning, which turns out they provide in some, but not all flows.
The size of the URL for the image resource is utterly huge. If that is truly random in its generation, there's no way anybody's ever going to guess it or enumerate it. It's all SSL, so you'd need a serious network breach for anybody to sniff it, and then you have bigger problems.
Agreed, I am mostly bothered by UI that allows me to share these sacred private URL without alerting me that there is no additional security in place to insure that only user's I've shared the link with will be able to access my data.
I still think it's OK to use Google Photos. People just should be very careful with what they chose to share.
Hmm, looks like you may be right. While it’s a different issue from the one I initially raised (since there is no UI offering me to share this URL), it might be a deal breaker.
Thanks for the tip, I've added the following to the post.
Please let me know if I got something wrong.
------------------------------------------
This appears to be true and another key distinction between Google Drive and Google Photos.
Google Photos uses direct link to image in their Web UI. This means that if I right click on a Google Photo image, select “Copy Link Location”, and share this link on the Internet, anyone with the link will be able to see the photo.
Google Drive adds an extra level of protection. The URL exposed in Google Drive Web UI is actually a redirect to the real image location. That redirect makes sure that the user is authenticated and has permissions to access the image. After the check is complete, however, Google Drive will redirect to the physical location of the image. Copying and pasting that URL will have similar security implications.
Given that those URLs are extremely hard to guess, I am not as concern with this finding. My biggest complain with Google Photos is that it offers me a UI to email private links to other people, without alerting me that user authentication will not be performed to view this content.
I'm not following - the author asked Google Photos to give them a generic link not connected to anyone. If Google required you to login for a regular old link, I think people would be more upset. If you want to share to a specific person, you have to click share and then select that person.
The article is riddled with typos. Coupled with the exaggerated claims that "All shared photos are public" leads me to believe this was written purely to get internet points.
My apologies. Father of two little kids here and didn't know if it was going to get any attention. I just had my wife proof read it, but if you find some other typos, please let me know.
Re AMP, I was not just posting to gain up-votes, I believed in all the things I said. But I did underplayed the benefits that AMP provided, for which I apologized. You can read more about that here if you'd like: https://www.alexkras.com/google-amp-is-winning/
I don't have an agenda... I saw something the surprised me concerning my security, realized that other's might have overlooked it, and wrote a blog post about it...
Re continues re post, it is not against HN terms. I was doing it because I thought that there are people who can benefit from my writing, I take a lot of time to write my posts and it sucks when nobody gets to read it. I did however go overboard towards the end, I have been warned, and I am only submitting articles once now. Such as this post, as you can see in my history.
My take (not sure why nobody else is saying this):
Google is contractually required to not inspect or analyze the _private_ data it stores beyond technical purposes such as deduplication.
- Google Drive is used for corporate environments where privacy is the be-all end-all. Can't really do anything there.
- But by using UX antipatterns to get away with making Photos public by default, Google can say "well the photo was publicly accessible so we've ...".
Hmm. I wonder what the legal ramifications are of making a photo private. Does that constitute a licensing change on the part of the copyright holder (you)? Can Google argue _for_ holding on to "the copy of the photo that was public"? (Yes there's no bit difference but the legal flavor is different.) If that's the case, that could explain why everything's public by default; just grab a copy of the photo before the user makes it private a second later.
Remember how the Pixel has unlimited online Photos storage?
This is clearly a tracking move. I was reading about how YouTube analyzes the content of videos (AI content recognition), etc. If Google has the infra to analyze _video_ they can easily do images.
Related: https://medium.com/insurge-intelligence/how-the-cia-made-goo... (REALLY long - I started going crosseyed ~60% through - but probably the most relevant thing you'll find all week if you're interested in how Google is tracking you and what their motivations are)
FWIW, whenever I share sensitive documents on drive, I do so via a shareable link. I figured if I trust someone not to download the file and share it as an attachment, then I trust that person to not share the url publicly as well.
One distinction though, is that URLs are much easier to steal, as compared to login info. People often don't make an effort to hide their browser URL when using their laptop in a public location, nor do they clear their history when using a shared computer. In theory, someone determined can use these vulnerabilities to steal a URL address.
In practice, the above threat-model seems obscure and unlikely enough, that for a social service like Google photos, what Google has seems reasonable enough. I can understand the author's surprise, but I can also understand Google's policy here.