Not okay, Google.
Getting hold of one of those URLs is not going to be easy, but still this is not at all what I would expect.
The size of the URL for the image resource is utterly huge. If that is truly random in its generation, there's no way anybody's ever going to guess it or enumerate it. It's all SSL, so you'd need a serious network breach for anybody to sniff it, and then you have bigger problems.
So yeah. Not that bothered upon further thought.
I still think it's OK to use Google Photos. People just should be very careful with what they chose to share.
Please let me know if I got something wrong.
This appears to be true and another key distinction between Google Drive and Google Photos.
Google Photos uses direct link to image in their Web UI. This means that if I right click on a Google Photo image, select “Copy Link Location”, and share this link on the Internet, anyone with the link will be able to see the photo.
Google Drive adds an extra level of protection. The URL exposed in Google Drive Web UI is actually a redirect to the real image location. That redirect makes sure that the user is authenticated and has permissions to access the image. After the check is complete, however, Google Drive will redirect to the physical location of the image. Copying and pasting that URL will have similar security implications.
Given that those URLs are extremely hard to guess, I am not as concern with this finding. My biggest complain with Google Photos is that it offers me a UI to email private links to other people, without alerting me that user authentication will not be performed to view this content.