Google Photos is making photos semi-public

386 pointsby robertwiblinalmost 6 years ago

31 comments

pkulakalmost 6 years ago

This is exactly what I, and everyone else I know, wants to happen when you share a link to a photo. Do we not remember what the alternative is? Sharing with someone's Google account, I suppose? Oh, but now when you send that link to your iMessage group, you have to know every one's Google account name. And then half of them will be logged into their work accounts (or not logged in) at the time and it will fail, and the whole message thread turns into a discussion of how 3/4 of the people can't see the photo.What are the easier alternatives? Emailing maybe? But then you've moved the bits into someone else's account and they are there forever and can be forwarded anywhere. Maybe print a physical copy? Then that copy is around forever and can be handed to anyone else.They only extra security I would tolerate is an optional expiration, defaulted to a year or so. I love taking photos, I enjoy sharing them, and it's important to me to keep that simple and accessible. I think of these share links as bearer auth, which is used all over the web and is a perfectly valid way to secure a resource.

评论 #20429068 未加载

评论 #20428781 未加载

评论 #20428714 未加载

评论 #20429963 未加载

评论 #20430414 未加载

评论 #20428611 未加载

评论 #20429306 未加载

评论 #20428656 未加载

评论 #20429881 未加载

评论 #20429117 未加载

评论 #20432360 未加载

评论 #20429114 未加载

评论 #20429030 未加载

评论 #20428875 未加载

评论 #20429738 未加载

评论 #20431928 未加载

评论 #20429912 未加载

spydumalmost 6 years ago

Once you have the full URL to the image, you can share that too - authorization checks dont happen when fetching the image.. from googleusercontent.com as far as I can tell..But really - once you share an image to some one, there is no stopping them from downloading the image and sharing it out somewhere else anyways.. So I'm not sure the point of this.

评论 #20428487 未加载

评论 #20428562 未加载

评论 #20428471 未加载

评论 #20431236 未加载

评论 #20428473 未加载

评论 #20431177 未加载

tzsalmost 6 years ago

It's too bad HTMLMediaElement seems to only be for audio and video. If it also could do photos you should be able do a photo sharing site that lets you upload encrypted photos, distribute the URLs of those uploads, and have them only be viewable to people you also distribute the key to, without those people needing any special software to decrypt the photos. Such software is already built into the major browsers, as part of the Encrypted Media Extensions (EME).People mostly think of EME in the context of DRM, providing a uniform framework across browsers for proprietary DRM plugins for streaming movies from services like Netflix.But EME can actually be used without any plugins. The spec requires implementations to support a thing called "Clear Key", where you provide the decryption key directly to EME instead of it coming from some DRM plugin. See this article for more information [1].I've tried this with video and it works fine. I took an encrypted video, put it on my web site along with a page that had an HTMLMediaElement containing the video, and a text box that let you enter the decryption key, and could play it back when I supplied the right key.I wonder if doing a photo as a 1 frame looping video would work?[1] <a href="https://www.html5rocks.com/en/tutorials/eme/basics/" rel="nofollow">https://www.html5rocks.com/en/tutorials/eme/basics/</a>

评论 #20429080 未加载

评论 #20428825 未加载

评论 #20428872 未加载

评论 #20430114 未加载

评论 #20428843 未加载

评论 #20429891 未加载

martythemaniakalmost 6 years ago

Semi-related: I had a very creepy bug come up recently. Amongst all the collages, animations and videos Assistant makes, this auto-generated video came up: <a href="https://streamable.com/bd2y1" rel="nofollow">https://streamable.com/bd2y1</a>There's no image/video source for this (accidentally syncing downloaded folders etc) that I could find and typically the jangley music the videos come with don't include any narration, so the source must be a video? This is the first thing I've ever contacted Google Support over, and obviously, there's a 0.001% chance of anything being resolved.

评论 #20431136 未加载

评论 #20428717 未加载

jit_hackeralmost 6 years ago

This is a non-issue. The URLs are way to unique to guess (you'd have an easier time guessing an email/pass/2FA). And ones ability to access the URL at all is the same as their ability to access the bytes of the image. Once accessed, they could capture and share either.This would be an issue if it were mutable data.

评论 #20428972 未加载

kyrraalmost 6 years ago

He says the easy thing is to use the Google drive sharing model, which only works with other people that have Google based accounts that can be authenticated. The sharing model in Photos is meant to lower the barrier for sharing with people with non-Google accounts. It's also worth noting in the demo he showed, many of the recommended sharing links were sharing with a user account and not via link (which would be gated behind authentication still).

评论 #20428500 未加载

评论 #20428540 未加载

shepwalkeralmost 6 years ago

You can get similar behavior with Dropbox <a href="https://www.dropbox.com/s/pcutvzhj8nc4auu/indy_asleep.jpeg" rel="nofollow">https://www.dropbox.com/s/pcutvzhj8nc4auu/indy_asleep.jpeg</a> And OneDrive: <a href="https://1drv.ms/u/s!AqxVBILuAH4kssIAdGJhBtwUCm5DhA" rel="nofollow">https://1drv.ms/u/s!AqxVBILuAH4kssIAdGJhBtwUCm5DhA</a>{I assume Box has something similar but I don't feel like finding my creds}Screenshots of the dialogs: <a href="https://imgur.com/a/lijzeli" rel="nofollow">https://imgur.com/a/lijzeli</a>The big difference I see is that that the Google Photos share model feels related more to mobile-sharing scenarios than access control - ie, you're sending your buddy a link! Vs you're granting access, and that distinction isn't super blatantly called out.Disclosure: I work on OneDrive for Microsoft

scarface74almost 6 years ago

If I share a link to the photo and the link gets shared by the recipient it is “semi-public”.If I share an authorized link to the photo the recipient can still share the photo if by no other way, taking a screen shot.If in the case of the Google Photos iOS app, if I share a photo via the share shortcut and send it in a message, that photo can also be shared.All that to say, no matter how you share the photo - it’s out of your control after that.

godelskialmost 6 years ago

This is a perfect example for things like:Techies: Well duh... what did you expect? Magic?Non-techies: WHAT?I think people often forget that most don't actually know how computers or the internet work. Since this topic keeps coming up it really seems like we need to think clearly about this and do a better job of informing people how things work.

评论 #20434022 未加载

tomasyanyalmost 6 years ago

Every uuid image link would be public, but virtually private. You would need to know the exact link to see the image.Can't see how this is different from images stored in FB or other services.There's no reason to panic, guessing the URL's is (virtually) impossible.

评论 #20431761 未加载

carapacealmost 6 years ago

"Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud" (2014)Abstract> Controlled sharing is fundamental to distributed systems; yet, on the Web, and in the Cloud, sharing is still based on rudimentary mechanisms. More flexible, decentralized cryptographic authorization credentials have not been adopted, largely because their mechanisms have not been incrementally deployable, simple enough, or efficient enough to implement across the relevant systems and devices.> This paper introduces macaroons: flexible authorization credentials for Cloud services that support decentralized delegation between principals. Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs) in a manner that is highly efficient, easy to deploy, and widely applicable.> Although macaroons are bearer credentials, like Web cookies, macaroons embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests. This paper describes macaroons and motivates their design, compares them to other credential systems, such as cookies and SPKI/SDSI, evaluates and measures a prototype implementation, and discusses practical security and application considerations. In particular, it is considered how macaroons can enable more fine-grained authorization in the Cloud, e.g., by strengthening mechanisms like OAuth2, and a formalization of macaroons is given in authorization logic.<a href="https://ai.google/research/pubs/pub41892" rel="nofollow">https://ai.google/research/pubs/pub41892</a>

TazeTSchnitzelalmost 6 years ago

Ah, and it would be so easy to fix this in one way or another:1) Make the link temporary, only working for X days2) Make the link only bring up a page which lets you link to a Google account, and after that you need the account to view the images and the link has effectively expired3) (2) with a time limitet cetera

评论 #20430574 未加载

评论 #20428497 未加载

macspoofingalmost 6 years ago

This 'security issue' is of the same category as a previous article about Trello desktop app storing an authentication token locally ... that is, a non-issue that let's the author pretend like they found a security issue in a major consumer product.Google Photos is a consumer product meant to be used by regular by tech savvy and non-tech savvy consumers. You can always add more security-based workflows but then your grandparents will get frustrated when they can't see pictures of their grandkids you emailed to them, or can't figure out how to send you images that they took of their garden.What is the alternative that the author proposes? Use Google account access controls? Great idea if everyone has a Google account and is logged into the right browser. But that's not reality. I see proposals in this thread about sharing encryption keys or passwords, or using Google accounts sometimes, but not other times. Suggestions that range from Kabuki theater, to frustration of regular consumers.There is no issue here, and Google has the right idea.

kpU8efre7ralmost 6 years ago

What are the odds of guessing that URL? It appears it would be far more difficult than guessing the user account password.URL consists of uppercase, lowercase, 0-9 and is 17 characters in length- that's 1.28E65 dudes. That's enough combinatholions you could probably make a URL for every photo ever taken for all of human history and never find one in a billion years.

评论 #20430455 未加载

ozzmotikalmost 6 years ago

in all fairness, what would one expect the app to do in the first place? sharing through the app is fundamentally different than sharing through, say, your photo gallery, as that just shares the image itself. within the app, and the general ecosystem that surrounds it, the method of sharing is by exposing that image as a resource to external parties, and given that http(s) is the transport that makes the world go round, it would stand to reason that a url would be created and associated with that resource, and furthermore that anyone that gets that url would be allowed to access that resource. of course that's just generalized sharing, there's also more granular sharing at the level of Google accounts where you can provide specific access to specific individuals etc. but either way. i see no reason to be surprised or even particular bothered by this. if anything it's to be expected

dvdblocalmost 6 years ago

This has been covered so many times by so many different people that I’m surprised this is at the top of hacker news yet again.

suchirealmost 6 years ago

I used to be the tech lead for the sharing and permissions side of a file storage service. In my experience with designing systems, participating in user studies, trying to problem solve with coworkers, and so on, this is an extremely hard problem to solve, because (as can be seen in the comments), there usually isn’t a right answer. Different people expect very different defaults, and get frustrated and upset when things don’t match their a priori expectations. The temptation is to solve these differing use cases with lots of configurability, precise descriptions, and lots of user education but users don’t read (usually), and rarely do they understand the tricky implications of different settings. Not only that, but mistakes they make in configuration or use will understandably cause them to be more scared of using your service.I don’t think anyone has solved access control, not Facebook, Google, OneDrive, or even Apple.

Forge36almost 6 years ago

2017*Since this article didn't include instructions to fix this:On desktop (I couldn't find a way through the app) Go-to <a href="https://photos.google.com/sharing" rel="nofollow">https://photos.google.com/sharing</a>You can see what's shared Select an album, go to options (is a menu under the three vertical dots in the upper right)Uncheck share. Then click delete

评论 #20428591 未加载

评论 #20428493 未加载

vladguralmost 6 years ago

This is old news though <a href="https://www.theverge.com/2015/6/23/8830977/google-photos-security-public-url-privacy-protected" rel="nofollow">https://www.theverge.com/2015/6/23/8830977/google-photos-sec...</a>But I do agree, google can do better messaging that

jdofazalmost 6 years ago

OneDrive lets you set an expiration when you share a photo with a url, I usually pick a month with the assumption the other person will download the photo to their own collection.

vassilykalmost 6 years ago

From what I remember this was in the original specs [1]. If people don't check specs how can we expect society to work?[1]<a href="https://www.theverge.com/2015/6/23/8830977/google-photos-security-public-url-privacy-protected" rel="nofollow">https://www.theverge.com/2015/6/23/8830977/google-photos-sec...</a>

teamskialmost 6 years ago

This is the reason why I pay for Dropbox to host my pictures. The problem with Google is often not about severe privacy problems, it's about 'you never know' and getting educated and finding the right setting is hassle everytime. Worse here is FB.

jxdxbxalmost 6 years ago

iCloud sharing works the same way, however the public links expire. (When you share photos with someone via iMessage and it creates an iCloud link rather than iMessaging the photos, it's just a public, unguessable URL).

marmshallowalmost 6 years ago

Facebook does the same thing right? Not necessarily defending the choice but it’s standard. Wonder if there are similar examples outside of social media sites, like for banking pdf statements generated or something like that...

walterbellalmost 6 years ago

If you use an end-to-end encrypted messaging app like Wire (app.wire.com), your photos will only be visible to the specific accounts and devices which were in the group at the time of sending the photo.

netduralmost 6 years ago

Not an issue, it will only became an issue if you can predict the photo URL.

评论 #20428644 未加载

erwan577almost 6 years ago

Is there any practical way to review all the links to my shared Google Photos and maybe disable sharing of most of them quickly ?

sidcoolalmost 6 years ago

Are there any good alternatives to Google photos?

评论 #20437297 未加载

modzualmost 6 years ago

for what its worth, github suffers from the same issue. it's a "feature"

robertAngstalmost 6 years ago

Is this an actual risk? you would need to guess a link.Serious question

评论 #20429592 未加载

评论 #20428596 未加载

评论 #20428602 未加载

akras14almost 6 years ago

Glad to see it trending again. I raised the same concern years ago, and was mostly ridiculed. Nothing has changed since then.I’ve been using Google Drive integration to share photos securely, but Google just announced that this will be going away.In addition I realized that Google strips out metadata from my files during conversion. Common sense, but not something I thought about before.Time to switch. If anybody has good alternatives I am all ears.<a href="https://www.alexkras.com/do-not-share-your-google-photos/" rel="nofollow">https://www.alexkras.com/do-not-share-your-google-photos/</a>

评论 #20431162 未加载