Comments on: Big privacy changes at SmugMug

By: pysmug version 0.4 coming soon « I’m not here.

pysmug version 0.4 coming soon « I’m not here. — Sun, 11 May 2008 05:19:46 +0000

[...] the biggest changes are compatibility with new security changes required for version 1.2.2 of the SmugMug API. It’s now also possible to register function [...]

By: Mark

Mark — Sat, 08 Mar 2008 04:04:34 +0000

It would be very nice if you would start issuing API keys again…

By: SmugBlog: Don MacAskill » Blog Archive » On so-called ‘holes’ in our new privacy scheme

Tue, 19 Feb 2008 18:29:04 +0000

[...] clear: If you try their so-called exploit on a ‘new’ photo or video (one uploaded after our privacy changes on February 8th), it just won’t work. If you try it on an ‘old’ photo or video, [...]

By: Matt Johnson

Matt Johnson — Fri, 08 Feb 2008 22:16:46 +0000

I just checked the holes I found last week. The bugs that allowed me to view an image where external linking was even disabled have now been fixed, even on the old images. With the addition of the imagekey on the images it locks images down even tighter so that it will be harder for hackers to even find such holes in the future, and it prevents the ability to just iterate through images.

If you want the images protected, then they need to be password protected, and external linking disabled. Password protecting essentially locks the front door, while disabling external linking locks the back door, all windows, and covers the windows.

By: Kevin Forbes

Kevin Forbes — Fri, 08 Feb 2008 21:57:49 +0000

Wow, that was quick! Personally, I have no problem with the way it worked before. It worked the way I was expecting, having read through the options. But you’ve definitely done your customers (and future customers) a good turn by making these changes.

By: Luis Feinzaig

Luis Feinzaig — Fri, 08 Feb 2008 19:44:49 +0000

This is a good fix for the problem. However, if technically possible, you should add the possibility of opting out of this feature (the new alphanumerical key). In my case I am not that concerned about privacy as I am about ease of use ( I handle a very large quantity of galleries). Good job!

By: Philipp Lenssen

Philipp Lenssen — Fri, 08 Feb 2008 16:49:44 +0000

> I wasn’t completely happy that it was so easy
> to guess an album but I don’t really have
> anything that needs to be hidden that well
> and still be accessible without a password,
> so I wasn’t concerned.

Mark, just to clarify in case you missed this: photos set to password-protection also showed up publicly when iterating image IDs. So even if you set your old album to password protection and private, its pics were publicly crawlable — only disabling external linking stopped the pics from showing when iterating IDs. Not sure what the current status is as we didn’t test the site for some time now, but if old galleries remain unfixed, all that would still be the case — maybe Don can clarify if that’s the case or not.

By: Matt Johnson

Matt Johnson — Fri, 08 Feb 2008 16:33:56 +0000

You guys rock as always! I am impressed with the speed in which this was taken care of.

At first I was a little concerned about some of the loop holes, although I didn’t see them as critical, I was impressed that you were willing to address it publicly and openly.

You have made us aware of the problems, listened to our concerns, and acted quickly. For that you have earned more of my respect.

By: Seann

Seann — Fri, 08 Feb 2008 14:49:18 +0000

You guys are awesome. Undoubtedly the best photo site on the web for consumers or pros. Keep up the great work, openness and uncomprmising user support.

By: Mark

Mark — Fri, 08 Feb 2008 14:10:28 +0000

I’m glad you did this. I already have an account and I understood the distinction between private and public when I opened it. I wasn’t completely happy that it was so easy to guess an album but I don’t really have anything that needs to be hidden that well and still be accessible without a password, so I wasn’t concerned. (I guess it was more of a technical concern than practical and practice is what matters).

But still, I’m happy with this change and how quickly you turned it around. The naming change from Private to Unlisted is probably the most important part so people are more aware of what it means.

I used to have my pictures on another website that would talk about quick fixes when bugs came up but it rarely happened. That’s what drove me away, so keep up the good work!