Wow, first time I’ve slept in since our baby was born (Oct 30th, 2007), and this is what I wake up to. Guess I need to stop slacking. 
First, a chance to strike it rich: I’ll give $1,000 $599.99 USD (stupid taxes) to anyone who can get a copy of this photo, or tell me which gallery or account it belongs to. To get paid, you must privately email your findings to SmugMug, including details of how you obtained it such that we can reproduce your success. And of course, I’m not using any tricks not available to our customers. Only the first person to expose a given exploit gets the bounty. Multiple reasonably different exploits? Multiple bounties.
Next, a couple of quick bullet points before we get into the meat of the situation, and then I’ll post the full emails to Philipp after the jump so you can read the un-edited versions for yourself:
- Your private photos are still private. Your secure photos are still secure. Note that there is a difference – this is an important distinction.
- If you have security settings applied to your site, galleries, or photos, no-one can see them. They’re impregnable. The sky is not falling, your photos are safe.
- Philipp Lenssen did us the courtesy of investigating the situation, contacting us, and following up – like any true journalist. I appreciate that. I wish, however, that the rest of the blogosphere, especially those that have taken Philipp’s facts and extrapolated them into some other fantasy world, had done the same. Shame on them. I know it’s always fun to join a witch hunt, but still…
- When people tell us stuff, like Philipp has done this morning, we listen. It may take us awhile to internalize it and act upon it, but I assure you, we’re listening.
- While Philipp and I don’t see eye-to-eye on this issue, he did indirectly bring a privacy hole to my attention, which has now been fixed. More on that later.
- “Locking down” your photos (privacy *and* security) is too complicated with our current UI. We need to do something about that. Count on us to do so.
- Interestingly, Philipp seems to have stolen an image from iStockPhoto and uploaded it to SmugMug as his example image. Kinda ironic, no?
Our customers have long known that we take privacy and security very seriously, and we offer a veritable army of options and settings to protect your photos. Since everyone views security and privacy a little differently than everyone else, we discovered early on that a “one size fits all” setting just doesn’t make sense. Instead, we settled on a lots of knobs and dials so that you, the owner of the photos, can determine exactly who can see your photos and in what context. You can literally lock down your entire SmugMug site, a gallery, or a photo – and anything in between. You can mix and match, and “dial in”, whatever privacy and security settings you’d like, wherever you’d like.
Every setting we have is a direct result of a customer (or lots of customers) asking us for them, and especially people like Philipp who shine a bright light on any deficiencies we may have. I believe we have the very best security and privacy options in our industry – but that doesn’t mean we can’t do better.
Now, on to privacy. The feature is working as intended, and indeed, is working exactly like thousands and thousands of our customers have asked us to make it work. You can read in the blogoscoped comments thread where our customers are insisting to Philipp that the feature is designed exactly the way they’d like, and we agree.
To us, privacy and security are two separate, but related, issues. One analogy we use often is that security is like locking your front door and arming your alarm (no-one can get in without a key), and privacy is like closing your window blinds (no-one can look in from the outside, but you can tell people where you live and they can visit without a key). Another analogy our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.
When you set your SmugMug gallery to ‘private’, this is exactly what you’re doing – making the gallery and photos difficult, but not impossible, to find. It’s intentionally easy to share with your friends and family via email, IM, in a blog or forum post, etc. No password, login, or any other messy security measure in place to make it difficult to share – just a URL. Only people you’ve shared this URL with can find those photos – with one exception I’ll get to in a minute. Our customers love this feature, and have worked with us over the years to specifically design it this way.
Now, there is one exception, and this is the crux of Philipp’s blog post: you can, in theory, guess the URL and view the photos. This is absolutely true, but let’s remember two things:
- It’s difficult to guess a photo from among a sample size nearly 250,000,000 strong.
- We offer *lots* of additional options to make this impossible should you want to. This is key – we let you “dial in” the level of privacy and security you want, and this single, lone setting is just the tip of iceberg.
Philipp is absolutely right, guessing a photo from among 250,000,000 is easier than guessing a photo from a GUID. It’s still very difficult. I wish I’d done GUIDs when we first started, but to be honest, I just didn’t know what they were. That’s my fault. As I explained to Philipp, we’re willing to overhaul our system to use GUIDs – a very expensive proposition – except that no-one has ever asked for them, to my knowledge, in the 5 years we’ve been in business. Again, most of our customers appreciate that the privacy setting works the way it does, and appreciate that they have lots of additional privacy and security precautions they can take. Try winning the $1000 yourself, if you don’t believe me.
In conclusion, you, as the customer, have full control over exactly who can view your photos, as you have always had. We can clearly make some improvements to our UI to make it more obvious what’s going on, and especially to make it easier to “Lock it down”. We’re also willing to move to GUIDs if our customers ask us, just like we’re willing to do almost anything our customers ask us to. Please do let us know.
After the jump, the full emails I sent to Philipp, un-edited, and some details about the privacy hole I plugged this weekend, thanks in part to Philipp’s investigation.
First email:
Hi Philipp,
I’m the CEO & Chief Geek at SmugMug, and I’m terribly sorry this is so confusing. Security & privacy are huge issues here at SmugMug, and we take them very seriously. Let me see if I can explain how things work and you can fill me in where we’re wrong:
First of all, we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).
At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question. Our customers love this feature, and have worked with us over the years to specifically design it this way.
Now, as you’ve pointed out, there is one possible loophole: they might be able to guess or even brute force crawl for the URL.
I’m in completely agreement, that GUIDs would help greatly here, but I’m afraid our system wasn’t built for GUIDs, and retrofitting our code and database to support GUIDs would be an extremely expensive proposition. Not that we’re not willing to do it – we would certainly consider it – but yours is the first request I’ve see in years to do so.
And the reason is simple – guessing a photo, or even a set of photos, from among 247,000,000+ photos is incredibly difficult. Even when you’re uploading a batch of photos to your own gallery, the likelihood of all of your photos being “in order” is very rare – there are just so many photos coming in every minute. A year from now, we’ll likely have over 500,000,000 photos, so the problem gets even less critical, in my opinion. That’s really the only thing a GUID solution would do, too – guessing would become astronomically difficult. Well, we’re not astronomically difficult, but we are very difficult – and getting more difficult every day.
But since guessing is a possibility (I consider brute forcing to be a near impossibility – crawling 250M photos in an automated way with image analysis to locate something specific is basically impossible), we have lots more features that fall into the Security category. It’s easily possible with our settings to completely eliminate this “hole” (again, I want to stress that while I wish we’d used GUIDs from the beginning, we really don’t consider this to be a security hole). Setting a password and disabling external links will make your images uncrawlable and unguessable. Many of our customers do – but those that choose not to are likely doing it because they don’t want this level of security.
I’m happy to go into all the privacy and security controls and permutations, if you’d like. There are many, and your site basically can become totally impregnable. What’s more, the settings can be applied to images themselves, or galleries, or your entire account – or mixed and matched however you’d like.
You are, of course, free to blog about our settings – we’re very open about them and what the tradeoffs for the various options are. In fact, if you let me know about it, I’m likely to link to it from my blog. We’re also very open to change – nearly every feature, bug fix, and enhancement is driven by customer feedback, like yours. If our customers (or potential customers) asked us to adopt GUIDs because this was a bigger issue than we were aware – we would.
I think this email has brought up one more thing we can do better with regards to private images, though. I’m gonna do a little research and make sure it’ll work, so I may be in touch in a few days with a follow-up if you don’t mind.
Thank you so much for letting us know about this. I promise I’ll take it into consideration whenever we’re discussing the issue in the future.
And thanks, especially, for giving us a shot and caring enough to write. It’s that kind of passion we prize above all else in our customers.
Don MacAskill
CEO & Chief Geek
SmugMug
Second email:
Hi Philipp,
Yep, I am, and the same things apply – our security features completely prevent this, should you care or want to, but our privacy features work as designed – they make it difficult, but not impossible, to find galleries.
One common analogy I hear our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.
Private galleries (rather than protected ones) are the same way. And they’re that way because thousands and thousands of our customers have asked us, in great detail, to make them that way.
In fact, we even have a setting that enables you to specifically hide the fact that you own a particular gallery, so even if someone “guesses” your gallery (that you’ve chosen not to protect), they can’t find out who owns it or follow a trail back to your homepage.
Again, we think the key to the privacy & security solution is flexibility. Everyone has different ideas about what privacy and security online means, and how much is too much. So rather than providing a single solution that only serves a fraction of our user base, either too secure or not secure enough, we’ve built a solution with lots of gradients for both privacy and security – so you can dial your own.
I believe we offer enough flexibility that we serve nearly everyone, but we continue to enhance our offering, add features, and fix bugs as they’re brought up to us.
Hope that helps, and thanks again for your interest. I’m a big fan of your blog, so I’m definitely interested in your thoughts.
Don MacAskill
CEO & Chief Geek
SmugMug
Philipp Lenssen wrote:
> Hi Don,
>
> Thanks for your explanation. Just to clarify: are you aware that
> gallery IDs can be iterated just the same as image IDs and thus, one
> can easily crawl all your galleries and filter to just those set to be
> private? With gallery ID, I’m referring to e.g.
> http://www.smugmug.com/gallery/4220006
>
> cheers
> Philipp
And the privacy hole:
Hi Philipp,
Your email to me got me thinking about how I redirect in the event that a hostname doesn’t match.
If you try to fetch a URL from cmac.smugmug.com that actually belongs to don.smugmug.com, we do a 304 redirect to don.smugmug.com before serving it. The intent is that we don’t want someone to “spoof” that a photo actually belongs to one user, rather than another.
In 5 years, stupid me, it never occurred to me that you could use that same functionality to actually find out who’s account a photo belongs to. Your email opened my eyes, and that hole is now fixed.
Good intent, poor implementation. Now we have both.
Thanks!
Don
