Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Guest Blog: Google Blogoscoped

Google Subnet
NetworkWorld.com > Community > Guest Blog: Google Blogoscoped

Navigation

Picasa Unlisted Albums Privacy Issue Fixed

By Google Blogoscoped on Mon, 10/06/2008 - 2:43am.

Google’s photo storing app Picasa Web Albums had a bit of a privacy vulnerability. When you create an unlisted album to send to friends, you’ll usually not expect the URL to get out to non-friends – that’s why Google included an authentication key parameter in the URL so it’s not possible to quickly guess the address (they didn’t in the beginning, which allowed you to e.g. see Larry Page’s unlisted album, but Google were later convinced it makes sense). However, Google allowed outgoing links in comments to photos of those unlisted albums. When you entered e.g. “Great photo, also see http://example.com” as a comment just a while ago, Google would automatically create a direct link to Example.com. As you know if you’re a webmaster, when someone clicks such a direct link – i.e. in this case a click-through by you or your friends who were invited – the potentially uninvited owner of Example.com can now see the referrer URL in their log files... including the authentication key to get into your unlisted album.

What Google could have done to keep the links but make them safe is to redirect them through some Google page, which would as a consequence hide the original referrer to the webmaster of the other site. Instead, Google now does not automatically convert URLs to clickable links in comments, which has the same effect of ensuring the privacy of Picasa albums in regards to this hole.* Additionally, if you have any unlisted photos which have comments with external URLs and you care a lot about the privacy of that album, you might want to delete the album now and set up a new one, in case the authentication key has already gotten out.

*In general though, you should never really expect unlisted web pages to be fully private; only password-protection makes it technically safe, because as this case shows, unlisting is more of a “human” agreement, unsupported by the underlying technology & protocols. And not even your friends may at all times be perfectly sure about a page’s status, so they may inadvertently share a page publicly which you intended to be friends-only... something which would happen more rarely when it’s a password they would need to share (especially if it’s their own Google Account credentials they’re using to login).

[By Philipp Lenssen | Origin: Picasa Unlisted Albums Privacy Issue Fixed | Comments]

[Advertisement] Find the right keywords for your campaigns at KeywordDiscovery.com

Reprinted with permission from Google Blogoscoped.

Permalink
Tags:

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Google Blogoscoped

Philipp Lenssen from Germany, author of Google Apps Hacks, shares his views and news on the search industry in the daily Google Blogoscoped. Items here are reprinted with his permission.

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: