Hacker News new | past | comments | ask | show | jobs | submit login

All photos on Google Photos is publicly accessible, if you know the URL. It doesn't matter if it's shared or not.

I just tested this with the image link for a non-shared photo in a private window. It loaded without incident.

Not okay, Google.

Getting hold of one of those URLs is not going to be easy, but still this is not at all what I would expect.

Okay I've thought about it some more.

The size of the URL for the image resource is utterly huge. If that is truly random in its generation, there's no way anybody's ever going to guess it or enumerate it. It's all SSL, so you'd need a serious network breach for anybody to sniff it, and then you have bigger problems.

So yeah. Not that bothered upon further thought.

Agreed, I am mostly bothered by UI that allows me to share these sacred private URL without alerting me that there is no additional security in place to insure that only user's I've shared the link with will be able to access my data.

I still think it's OK to use Google Photos. People just should be very careful with what they chose to share.

Hmm, looks like you may be right. While it’s a different issue from the one I initially raised (since there is no UI offering me to share this URL), it might be a deal breaker.

Thanks for the tip, I've added the following to the post.

Please let me know if I got something wrong.


This appears to be true and another key distinction between Google Drive and Google Photos.

Google Photos uses direct link to image in their Web UI. This means that if I right click on a Google Photo image, select “Copy Link Location”, and share this link on the Internet, anyone with the link will be able to see the photo.

Google Drive adds an extra level of protection. The URL exposed in Google Drive Web UI is actually a redirect to the real image location. That redirect makes sure that the user is authenticated and has permissions to access the image. After the check is complete, however, Google Drive will redirect to the physical location of the image. Copying and pasting that URL will have similar security implications.

Given that those URLs are extremely hard to guess, I am not as concern with this finding. My biggest complain with Google Photos is that it offers me a UI to email private links to other people, without alerting me that user authentication will not be performed to view this content.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact