Hacker News new | past | comments | ask | show | jobs | submit login
All shared Google Photos are open to the public (alexkras.com)
52 points by akras14 on Jan 2, 2018 | hide | past | favorite | 40 comments

"The only security measure is that the album link is hard to guess. It was pointed out that this link is really HARD to guess. It does not need to be guessed. All it would take for some strangers to get access to my private photos, is for one of my relatives to share this link by mistake."

FWIW, whenever I share sensitive documents on drive, I do so via a shareable link. I figured if I trust someone not to download the file and share it as an attachment, then I trust that person to not share the url publicly as well.

One distinction though, is that URLs are much easier to steal, as compared to login info. People often don't make an effort to hide their browser URL when using their laptop in a public location, nor do they clear their history when using a shared computer. In theory, someone determined can use these vulnerabilities to steal a URL address.

In practice, the above threat-model seems obscure and unlikely enough, that for a social service like Google photos, what Google has seems reasonable enough. I can understand the author's surprise, but I can also understand Google's policy here.

It reminds me of the old way Chrome didn't hide saved passwords. It made sense under the threat model they had for the feature, but it wasn't the security model end users expected would be the default.

A simple UI fix would be to explicitly call the sharing mode "unlisted" like some other sites do including Youtube, with a similar warning about linking to the content.

I think what's going on, and may no be well communicated, is that by default when you share, you get sharing via the link. The benefit is that anyone who wants to see the photos can do so without having to have a Google account, let alone be signed in.

It's trying to achieve privacy by obscurity, and I'm assuming that Google has robots / etc configured so that no search engine could crawl the shared album URLs.

That said, I do agree that this should be communicated better. Personally, I like this feature because some of my friends are fiercely anti-Google and this still allows me to share photos with them seamlessly. The alternative suggested by the author (i.e., upload to Drive then share) is less seamless and for me, not worth the additional privacy gain. (The photos I truly want private are not shared at all, and I try to delete them from the cloud asap).

It’s a good feature, but I believe it should be optional, communicated better, and not on by default.

> "Personally, I like this feature because some of my friends are fiercely anti-Google and this still allows me to share photos with them seamlessly."

I am fiercely anti-Google and I wouldn't touch a Google link for any reason, even if a friend sent it. If it's so important you need me to see it right away, send it via Telegram or MMS.

That said, I don't think this is malicious on Google's part, it's just lazy. Allowing sharing of private content is difficult to get right, but if Dropbox can do it I know Google can. Hell, they are smart enough to do it better, which is why this screams laziness or just a plain "we don't care" attitude.

They do just that in Google drive. That is why I was so surprised that Google Photos did not behave in the same way.

Send it via a third party who can read your messages or MMS where everyone can read your messages?

Nice alternatives...

First, either is more secure than clicking a random HTTP link from Google.

Second, the author was speaking of sharing a random photo with a friend, not national security secrets. I don't want Google seeing what I see, and using a third party messenger or a carrier service like MMS accomplishes this. If I need it to be encrypted, I'll use an encrypted service, but I wasn't talking about that and you're moving the goalposts to make what point exactly?

This seems like a lot of scaremongering. You have to balance a good UX with good security, and Google has done just that. If shared photos require a 10-step process for Grandpa to see them, he’ll never see them and you’ll be angry that Google photos let you down.

I am advocating for a better UI that is clearly communicates what will happen when post is shared.

Sort of like Google Drive does it. Make it easy, sure, but let me know the trade offs.

It says “Via Sharable Link – Anyone with a link will be able to view or edit the files”.

Not sure how much clearer Google could make this.

Why is this the top story? It is a non story. PEBKAC.

Where does it say it in Google Photos?

I only see email, with no warning that album will be public.

The Via Sharable link screenshot is from Google drive, which works as expected.

Correction, it does show this warning in some flows: https://www.alexkras.com/wp-content/uploads/share-4.png

Unfortunately for me, I was using the other flows to share my photos.

I think this is a fairly standard practice. This is exactly how shared links on Dropbox, Box, Mega, Imgur, etc. work. You can think of the URL as one long, and extremely hard to guess password.

Completely agree that Google Photos (and the other data hosting services) could provide warnings to those new to this method of sharing — I wouldn't expect my grandma to simply know this.

Google Drive creates a proxy link that makes sure that user actually has the proper privileges to access the content, before doing the redirect.

This can be seen by inspecting image link in Google Drive.

I was simply expecting to see the same behavior with Google Photos. As you said, at the very least it would be nice to see a warning, which turns out they provide in some, but not all flows.

All photos on Google Photos is publicly accessible, if you know the URL. It doesn't matter if it's shared or not.

I just tested this with the image link for a non-shared photo in a private window. It loaded without incident.

Not okay, Google.

Getting hold of one of those URLs is not going to be easy, but still this is not at all what I would expect.

Okay I've thought about it some more.

The size of the URL for the image resource is utterly huge. If that is truly random in its generation, there's no way anybody's ever going to guess it or enumerate it. It's all SSL, so you'd need a serious network breach for anybody to sniff it, and then you have bigger problems.

So yeah. Not that bothered upon further thought.

Agreed, I am mostly bothered by UI that allows me to share these sacred private URL without alerting me that there is no additional security in place to insure that only user's I've shared the link with will be able to access my data.

I still think it's OK to use Google Photos. People just should be very careful with what they chose to share.

Hmm, looks like you may be right. While it’s a different issue from the one I initially raised (since there is no UI offering me to share this URL), it might be a deal breaker.

Thanks for the tip, I've added the following to the post.

Please let me know if I got something wrong.


This appears to be true and another key distinction between Google Drive and Google Photos.

Google Photos uses direct link to image in their Web UI. This means that if I right click on a Google Photo image, select “Copy Link Location”, and share this link on the Internet, anyone with the link will be able to see the photo.

Google Drive adds an extra level of protection. The URL exposed in Google Drive Web UI is actually a redirect to the real image location. That redirect makes sure that the user is authenticated and has permissions to access the image. After the check is complete, however, Google Drive will redirect to the physical location of the image. Copying and pasting that URL will have similar security implications.

Given that those URLs are extremely hard to guess, I am not as concern with this finding. My biggest complain with Google Photos is that it offers me a UI to email private links to other people, without alerting me that user authentication will not be performed to view this content.

I'm not following - the author asked Google Photos to give them a generic link not connected to anyone. If Google required you to login for a regular old link, I think people would be more upset. If you want to share to a specific person, you have to click share and then select that person.

All of this seems to be working as I expected.

That is not what is happening though, sharing with one person, opens up the folder for all people with a link.

How else would you share with someone who has no @gmail account, exactly?

I am not saying it’s bad for all use cases, but it should be better communicated and optional.

If I share something with my family, who are all on Google, I would like it to ONLY be available to them. Right now there is no way to do it.

OAuth or OTP to email comes to mind for now.

I cannot wait to see how you'd explain that to your 93-year-old great-grandfather.

Thank you for bringing this to my attention. I've just gone and deleted a couple very private albums myself.

You are welcome! I figured I wasn’t alone.

The article is riddled with typos. Coupled with the exaggerated claims that "All shared photos are public" leads me to believe this was written purely to get internet points.

My apologies. Father of two little kids here and didn't know if it was going to get any attention. I just had my wife proof read it, but if you find some other typos, please let me know.

after reading this i assumed english was your second language. there are still more obvious typos.

also yeah the hyperbolic language combined with the coinbase link read as "attention seeking" to me.

English is my second language. Re attention seeking, I though it was a big deal. Both my wife and I were shocked by it, so I wanted to share.

Coinbase link, is my experiment of trying to monetize my blog. Like I said, 2 kids...

If I need to make a post every time my wife was shocked by something on the internet, the internet would be twice as big.

I still use email if I want to share a picture with somebody? I must be old school.

>If I need to make a post every time my wife was shocked by something on the internet, the internet would be twice as big.

JFYI, in case of need:


Email is the way to go.

I only wrote this because I was shocked too. I genuinely did not expect this behavior, and I've been using Google Photos a lot in the past year.

Aren't you the same guy who kept posting articles about Google AMP to gain upvotes on HN?

Sensing a clear agenda here.

Edit: looking at your submission history -- wow. I'm surprised you haven't been dinged for spamming.

I am the same guy...

Re AMP, I was not just posting to gain up-votes, I believed in all the things I said. But I did underplayed the benefits that AMP provided, for which I apologized. You can read more about that here if you'd like: https://www.alexkras.com/google-amp-is-winning/

I don't have an agenda... I saw something the surprised me concerning my security, realized that other's might have overlooked it, and wrote a blog post about it...

Re continues re post, it is not against HN terms. I was doing it because I thought that there are people who can benefit from my writing, I take a lot of time to write my posts and it sucks when nobody gets to read it. I did however go overboard towards the end, I have been warned, and I am only submitting articles once now. Such as this post, as you can see in my history.

> Google Photos is NOT Google Drive

> ...

> ... I think that this is a lazy design. ...

No, it's absolutely deliberate.

My take (not sure why nobody else is saying this):

Google is contractually required to not inspect or analyze the _private_ data it stores beyond technical purposes such as deduplication.

- Google Drive is used for corporate environments where privacy is the be-all end-all. Can't really do anything there.

- But by using UX antipatterns to get away with making Photos public by default, Google can say "well the photo was publicly accessible so we've ...".

Hmm. I wonder what the legal ramifications are of making a photo private. Does that constitute a licensing change on the part of the copyright holder (you)? Can Google argue _for_ holding on to "the copy of the photo that was public"? (Yes there's no bit difference but the legal flavor is different.) If that's the case, that could explain why everything's public by default; just grab a copy of the photo before the user makes it private a second later.

Remember how the Pixel has unlimited online Photos storage?

This is clearly a tracking move. I was reading about how YouTube analyzes the content of videos (AI content recognition), etc. If Google has the infra to analyze _video_ they can easily do images.

Related: https://medium.com/insurge-intelligence/how-the-cia-made-goo... (REALLY long - I started going crosseyed ~60% through - but probably the most relevant thing you'll find all week if you're interested in how Google is tracking you and what their motivations are)

For reference, this is now at -2. I am very fascinated by this.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact