SmugMug doesn't seem to understand the meaning of privacy

The folks at Google Blogoscoped have uncovered what appears to be a pretty glaring privacy hole in online photo sharing site SmugMug. Like many online photo sharing services, SmugMug allows users to mark images as public or private. If your images are private they won't show up on your profile page and other users are only supposed to be able to find them if you send them a special URL, which is not password protected.

Sure, a password would make the page more secure, but it would also make it more inconvenient for your friends, family, and colleagues to see your vacation photos. But as long as there's no easy way for the general public to find your photos, they're still secure from prying eyes, right?

Maybe not. The problem is that SmugMug gives images a predictable URL string, starting with http://www.smugmug.com/gallery/1000. All you have to do is change the number and you'll start to find photo album after photo album, whether they're market public or private.

As Google Blogoscope's Philipp Lenssen points out, the solution could be as simple as using a random string of characters. But the CEO of SmugMug replied in an email to Lenssen that the system wasn't built for randomized strings, and changing it now would be expensive. And you know what? If most SmugMug users remain blissfully unaware that their "private" images might be publicly accessible then maybe it's not wroth the time and money to fix the flaw. But we kind of think SmugMug and any other company that claims to offer users some level of privacy should really be willing to improve their system when flaws are pointed out.

Tags: images, photo-sharing, photos, privacy, smugmug