Hacker News new | past | comments | ask | show | jobs | submit login

Hmm, looks like you may be right. While it’s a different issue from the one I initially raised (since there is no UI offering me to share this URL), it might be a deal breaker.

Thanks for the tip, I've added the following to the post.

Please let me know if I got something wrong.


This appears to be true and another key distinction between Google Drive and Google Photos.

Google Photos uses direct link to image in their Web UI. This means that if I right click on a Google Photo image, select “Copy Link Location”, and share this link on the Internet, anyone with the link will be able to see the photo.

Google Drive adds an extra level of protection. The URL exposed in Google Drive Web UI is actually a redirect to the real image location. That redirect makes sure that the user is authenticated and has permissions to access the image. After the check is complete, however, Google Drive will redirect to the physical location of the image. Copying and pasting that URL will have similar security implications.

Given that those URLs are extremely hard to guess, I am not as concern with this finding. My biggest complain with Google Photos is that it offers me a UI to email private links to other people, without alerting me that user authentication will not be performed to view this content.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact