Skip to content

any link you share is made public on the web

26 mayo, 2021

Far from restricting storage capacity to a few gigabytes, Google is one of the few companies that maintains the philosophy of offer unlimited storage for photos, paying as a tribute some compression (minimum) when uploading them to the cloud. In this matter of storing our information in cloud, doubts often arise as to whether or not these methods are safe, and there are plenty of reasons to think not.

The last one refers to a vulnerability in Google Photos that allows anyone to access shared photos via link. It does not matter that you have tried to make the link private and that you share it with only one person. If a third party manages to access this link, they will be able to view the photograph without the slightest problem.

Photo that you share by link, photo that is made public

Google Photos Photo

This is how clearly Robert Wiblim explains it through a publication on Medium, in which he demonstrates how easy it is to access a photo shared through Google Photos, without even logging into a Google account, through an incognito window.

We wanted to replicate Wiblim’s behavior and, indeed, the result has been the same. Any link you share on Google Photos is public, so it can be opened, regardless of whether or not you are using a Google account authorized to view such content.

This Google Photos error implies that there is no privacy when sharing a link. Anyone with access to the link can see the photo, whether we have given them permission or not

This can be a serious security problem since, if for some reason we share a link privately and a third party manages to access it, without our consent. you can see the content we have shared, something that does not happen in other Google services such as Drive, where you can only access the content that they have shared with us, through our Google account that has previously been authorized.

Beyond this, Wiblin points out (and we have been able to verify it) that Google Photos does not show us who has seen the photo, as if it does at the time of showing us in an album if the photographs are being viewed.

Google Photos is so good that I ended up giving away all my photos to Google

Loss of synchronization with Google Drive has left us with a security problem

Google Photos Drive

Until a few days ago, Google Photos and Drive were integrated, in such a way that the photos of one and the other service could be synchronized. One of the immediate consequences of having our photos synchronized in Google Drive is that of to be able to have our files protected in private, since Drive only shows the files to the users with whom we have decided to share them.

If Google Drive is able to respect the privacy of our links, there is no apparent justification for Google Photos not to do so.

If Google Drive respects our privacy when it comes to sharing links and showing them only to whom we have decided, it does not seem to make much sense that Google Photos does not do so. A private link must be private, so we hope that Google will solve this error soon, which can expose the privacy of users without them being aware of it.

Via | Medium