"Security" of Snapfish photo sharing site



  • I've found what I would consider a serious and easily reproducible security issue with HP's Snapfish photo sharing service.

    I've raised the issue with their Tech Support, but needless to say, they can't even be bothered to return my messages.

    The problem involves the "security" on your online albums.  The exact text on their web site in regards to security reads (if you want to see it for yourself, the URL for this FAQ is http://www2.snapfish.com/helpsharing#questions):

    "Can the public see my pictures?
    No. The only people who see your photo(s) are those people who receive an email invitation from you to see the photo(s). If you've given permission for your friends to re-share your album, they can also share it with others."


    Which turns out, as you've no doubt guessed by now, to be a total load of crap.  The fact is, all someone needs to know is the URL for the album, and they can get into it.  The only security is the obscurity of the URLs, and goodness knows, no one can figure out a URL, right?

    To try this yourself: I created this test album.  I have obviously not sent any of you an invite to it, all you have is this URL:  http://www2.snapfish.com/thumbnailshare/AlbumID=178533621/a=110322638_110322638/t_=110322638

    All you need to do is "register" for their site (with any fake email address), and you can see any photos anywhere on Snapfish for which you know the URL.  Personally I didn't even bother to register, I just used "BugMeNot" to provide a username/password login to Snapfish, and needless to say you can get in without a single issue, and access any photo album URL you can work-out.

    The other lovely part is that as the owner of the photos, you can't get any information about who's using them.

    Excellent security there HP, I'm glad my family photos are safe.



  • What's more scary is that most sites do it that way... they think obfuscating the URL is enough :(

    Microsoft has done a better job though, all files stored on Spaces (or SkyDrive) is only accessible if you're signed in to Live ID and have been assigned the rights to view an album. Or when the album/space is set to 'allow anyone on the internet to view'



  • While that is mindnumbling bad, the best way to ensure your photos don't end up being seen by people you don't want to see them is not to upload your photos to a photo sharing site in the first place. 



  • I totally agree with that on a personal basis.  Unfortunately I found-out my mother-in-law had uploaded some pictures I had given her so she could have prints made.

    Which then made me put on my "network security guy" hat and wonder how secure Snapfish was, now that there were pictures of my kids sitting out there.



  • dude! what sort of pictures do you take of your kids?

     

    you sound like you have a problem with people merely seeing your kids... how do you stop people seeing them when they are in public??



  • @bobday said:

    dude! what sort of pictures do you take of your kids?

     

    you sound like you have a problem with people merely seeing your kids... how do you stop people seeing them when they are in public??

    Ironically enough, here in the UK it is now technically illegal to take photographs of your own kids.

    (It's one of those badly-written anti-pornography laws that was passed with a round of "Oh, but we'll only use it against bad people" handwaving)

    Never tested in court, though - and our courts are allowed to throw out stupid, badly-written laws.



  • I'm not terribly concerned with the pictures themselves - just raising the issue about Snapfish claiming security when they have none.



  • Mh... k... I just played a bit with the parameters of the (probably php) script...
    Look at this... quite interesting...

    GET /render2/is=Yup6GeP%7C%3Dup6RKKt%3Axxr%3D0-qpDofRt7Pf7mrPfrj7t%3DzrRfDUX%3AeQaQxg%3Dr%3F87KR6xqpxQPPQx0ooxl0axv8uOc5xQQQJaPPGneG0QqpfVtB%3F*KUp7BHSHqqy7XH6gX0QQPl%7CRup6aQQ%7C/of=501337,3161337,-4421337 HTTP/1.1

    HTTP/1.0 500 Internal Server Error
    Expires: Wed, 20 Feb 2008 22:35:32 GMT
    X-SF-xCode: 500
    X-SF-xError: class com.snapfish.render.core.CSnapError
    X-SF-xStack: +at+com.snapfish.render.core.CSnapLayer.checkArgs%28CSnapLayer.java
    %3A25%29+at+com.snapfish.render.core.CSnapImageOutputLayer.%3Cinit%3E%28CSnapIma
    geOutputLayer.java%3A39%29+at+sun.reflect.GeneratedConstructorAccessor11.newInst
    ance%28Unknown+Source%29+at+sun.reflect.DelegatingConstructorAccessorImpl.newIns
    tance%28DelegatingConstructorAccessorImpl.java%3A27%29+at+java.lang.reflect.Cons
    tructor.newInstance%28Constructor.java%3A494%29+at+com.snapfish.render.core.CSna
    pLayerFactory.newLayer%28CSnapLayerFactory.java%3A363%29+at+com.snapfish.render.
    core.CSnapLayerFactory.buildComposition%28CSnapLayerFactory.java%3A193%29+at+com
    .snapfish.render.server.CRenderServlet.processOld%28CRenderServlet.java%3A322%29
    +at+com.snapfish.render.server.CRenderServlet.process%28CRenderServlet.java%3A20
    3%29+at+com.snapfish.render.server.CRenderServlet.service%28CRenderServlet.java%
    3A495%29+at+org.apache.catalina.core.ApplicationFilterChain.internalDoFilter%28U
    nknown+Source%29+%5B26+more...%5D
    Date: Wed, 13 Feb 2008 22:35:32 GMT
    Server: Apache-Coyote/1.1
    X-Cache: MISS from r1-bl1-2.snf02.snapfish.com
    Via: 1.0 r1-bl1-2.snf02.snapfish.com:4500 (squid)
    Connection: close

    Secure?



  • There was an article in yesterday's Washington Post about the problems with this type of "security"...

    Online Photos Not as Private As District Mother Assumed 

    About four months ago Meredith Massey uploaded three pictures of her children skinny-dipping, along with more than 50 other photos, to the online photo site Flickr. She marked those untitled and unclothed pictures "private" for her parents' eyes only. But a couple of weeks ago, the District woman discovered the selected snapshots had been viewed thousands of times, while other photos had about 20 hits. She immediately removed the pictures and contacted Flickr.

    http://www.washingtonpost.com/wp-dyn/content/article/2008/02/20/AR2008022002746.html



  • Hmmm, if you consider the AlbumID a password of sorts.... I certainly didn't hit on another album by trying some numbers randomly. 



  •  this seems like an acceptable level of security for family photos.



  • If you read my original post, Snapfish claims that the site is secure to anyone except those you specifically provide access.

     

    Whereas anyone who knows your Album URL can hand it out to anyone they like, and you'll never know who's accessing them.

     

    I'm not in any way saying that the level of security isn't acceptable for most family photos (including mine), I'm simply raising the issue that Snapfish isn't nearly as secure as they claim. 



  •  Did you suddenly wake up from your month long coma and decide to keep arguing your thread?



  • @MasterPlanSoftware said:

     Did you suddenly wake up from your month long coma and decide to keep arguing your thread?

     

    Hey, cut him some slack.  Just because you can formulate more than one sentence per week doesn't mean everyone can! 



  • @bstorer said:

    @MasterPlanSoftware said:

     Did you suddenly wake up from your month long coma and decide to keep arguing your thread?

     

    Hey, cut him some slack.  Just because you can formulate more than one sentence per week doesn't mean everyone can! 

     

    Haha. Or per month... whatever.



  • @bstorer said:

    Hey, cut him some slack.  Just because you can formulate more than one sentence per week doesn't mean everyone can!

    ROFL..

     

    Community Server really needs to automatically lock any thread that hasn't had a post in one week.



  • @MasterPlanSoftware said:

    @bstorer said:

    @MasterPlanSoftware said:

     Did you suddenly wake up from your month long coma and decide to keep arguing your thread?

     

    Hey, cut him some slack.  Just because you can formulate more than one sentence per week doesn't mean everyone can! 

     

    Haha. Or per month... whatever.

     

    There you go underestimating him again.  He managed to create three, count 'em, three sentences in a month.  That's like one every ten days!



  • @bstorer said:

    There you go underestimating him again.  He managed to create three, count 'em, three sentences in a month.  That's like one every ten days!
     

    Yeah, but it looks like that tired him out, and he had to take a break for a month.



  • Probably true, I shouldn't have bothered picking up the thread again.  How foolish of me. 



  • Agree and still the same upto now.

    In addition, I found that if you share a photo to someone.  Someone can copy your photo to his/her album.

    Furthermore, he/she can share his/her copy of your photos to others without your permission.



  • Blue Öyster Cult &emdash; Don't Fear the Reaper


Log in to reply