Security Issues

lisaonlocation

Several times now I have had one individual in Provost, Utah get into locked, unlisted galleries on my site.

I have statcounter that shows me which pages were accessed and the city and IP address of the web surfer.

When this first happened I immediately changed my password not just to each of the galleries but my overall password as well. It's been a couple of months, but my hacker is back. He isn't doing anything that I can see other than looking at the photos. But these photos are of private sessions with my clients that he has no business getting into. There are a couple of nudes in the galleries as well and I know this client does not want those shared. I KNOW that my clients do not know this individual because he is getting into multiple galleries of clients who do not know each other. It's possible that a client may have shared their password with a friend in Utah, but each of these clients happen to have the same friend in Utah? I don't think so.

I'm very troubled about this and I'm considering taking down these galleries, but I'd like my clients to still have access to them should they want to order more.

Any ideas to prevent this, other than changing my password AGAIN. Since I have already tried that and he's gaining access without the password.

PBolchover

I'm wondering whether the statcounter is actually counting your visits. While you're actually based in Texas, it might be possible that your ISP sometimes has to redirect your internet line via Utah (I've no idea why, but it's worth pointing out that the ability to localise an IP address can be inaccurate).

Trying browsing to a protected gallery that hasn't got any hits so far. Try it logged in, and logged out (using the gallery password - preferably in a different browser, to avoid it simply picking the images from your cache). How are your hits counted by statcounter?

lisaonlocation

PBolchover wrote:

I'm wondering whether the statcounter is actually counting your visits. While you're actually based in Texas, it might be possible that your ISP sometimes has to redirect your internet line via Utah (I've no idea why, but it's worth pointing out that the ability to localise an IP address can be inaccurate).

Trying browsing to a protected gallery that hasn't got any hits so far. Try it logged in, and logged out (using the gallery password - preferably in a different browser, to avoid it simply picking the images from your cache). How are your hits counted by statcounter?

That's an interesting idea. Except for the fact that I haven't gone to these galleries in at least a couple of months. They are basically closed unless the clients would like to add to their initial order.

jfriend

It seems unlikely that someone from the outside would repeatedly crack both your site password and your gallery passwords.

I wonder if there's any chance that some person or agent at Smugmug (perhaps someone in a support capacity trying to help with something) is the one who's been to those galleries? They can get in without password.

phototristan

There is also a setting within StatCounter where you can turn off your own visits. I would recommend you try that setting and then see if the stats change afterwards.

Shamguess

Hacking into unlisted galleries
I too have been noticing that somehow people are getting into my unlisted galleries. It shoes up in Smugmug stats even though I have not been in the galleries for some time. I don't understand how they even know they are there since unlisted galleries don't show up in visitors view. I don't have anything I am ashamed of in there but it concerns me that if people are able to find and view unlisted galleries, are they also able to get to other things like original files, etc.

kdog

I haven't used Statscounter yet. But is it possible the hits are generated from images which are externally linked, perhaps posted on Dgrin, or embedded in a blog? I know the regular stats don't differentiate between gallery views and external hot links.

BeachBill

lisaonlocation wrote:

Several times now I have had one individual in Provost, Utah get into locked, unlisted galleries on my site.

I have statcounter that shows me which pages were accessed and the city and IP address of the web surfer.

Quick comment on IP address and location. The location you are shown is the address of the organization the IP address is allocated to. This is usually the Internet provider (ISP or web host) that the end user connects to the Internet via. The address is usually the HQ of the organization. Most of the time the location will be close to the actual end user because they are using a local ISP. However this is not always the case.

With that said, I suspect you have a smugmug employee browsing your galleries. I believe I read somewhere when I signed up a long time ago that they reserved the right to review posted galleries to verify the acceptable use policies have not been violated. I also remember reading somewhere that there was at least one Smugmug employee based out of Utah. (By the way I don't believe there is a Provost, Utah but there is a Provo, Utah)

jfriend

kdog wrote:

I haven't used Statscounter yet. But is it possible the hits are generated from images which are externally linked, perhaps posted on Dgrin, or embedded in a blog? I know the regular stats don't differentiate between gallery views and external hot links.

Statcounter does not and cannot report on externally linked images. That can only be reported by Smugmug itself or by a tracking mechanism in the actual web page where the images are embedded.

StatCounter (and Google Analytics) works by embedding a small recording mechanism in your Smugmug web page. When that page is loaded by a browser, the recording mechanism triggers a hit on StatCounter's servers, thus recording the visit. When an image is directly linked externally, the recording mechanism in your Smugmug page is never hit or triggered because the Smugmug page itself is never loaded. Thus StatCounter-type trackers only track web page hits for the web pages that they are embedded in - they cannot track direct image hits. Only Smugmug's servers (who serve up those images) can track the direct image hits.

kdog

jfriend wrote:

Statcounter does not and cannot report on externally linked images. That can only be reported by Smugmug itself or by a tracking mechanism in the actual web page where the images are embedded.

StatCounter (and Google Analytics) works by embedding a small recording mechanism in your Smugmug web page. When that page is loaded by a browser, the recording mechanism triggers a hit on StatCounter's servers, thus recording the visit. When an image is directly linked externally, the recording mechanism in your Smugmug page is never hit or triggered because the Smugmug page itself is never loaded. Thus StatCounter-type trackers only track web page hits for the web pages that they are embedded in - they cannot track direct image hits. Only Smugmug's servers (who serve up those images) can track the direct image hits.

Thanks, John. Makes sense, mostly. The only thing that's puzzling me is how do they get the IP address without help from the server?

jfriend

kdog wrote:

Thanks, John. Makes sense, mostly. The only thing that's puzzling me is how do they get the IP address without help from the server?

StatCounter works by embedding something in your web page that makes a web request from the user's browser to the StatCounter server. That web request comes from the user's browser and thus comes from the user's IP address. The StatCounter servers record that IP address.

Shamguess

OK, so ifI am not using any kind of stat counter other than Smugmug's default; if I have no external links whatsoever to certain unlisted galleries and there are no passwords for those galleries; how is it that I am getting Smugmug stats on unlisted galleries? I have not even been in these particular galleries so I know it's not me. Again, not that I really care other than if someone can hack into an unlisted gallery, what else do they have access to?

jfriend

Shamguess wrote:

OK, so ifI am not using any kind of stat counter other than Smugmug's default; if I have no external links whatsoever to certain unlisted galleries and there are no passwords for those galleries; how is it that I am getting Smugmug stats on unlisted galleries? I have not even been in these particular galleries so I know it's not me. Again, not that I really care other than if someone can hack into an unlisted gallery, what else do they have access to?

Are the galleries in question only unlisted? Or are there password protecting them also?

An unlisted gallery is like an unlisted phone number. It's only real security is that nobody knows it (and it's hard to guess). The moment someone starts spreading it around and telling people or posting it, anyone can get in. So, you really have no idea who your clients might have sent the link to and when they might have decided to look.

If it isn't your clients or someone they told about it, then my earlier posting #4 in this thread is my best guess.

kdog

jfriend wrote:

StatCounter works by embedding something in your web page that makes a web request from the user's browser to the StatCounter server. That web request comes from the user's browser and thus comes from the user's IP address. The StatCounter servers record that IP address.

I gotcha. They have their own server that the client talks to. Pretty clever.

Cheers,
-joel

colourbox

About the original question, are you also using any kind of a proxy server or VPN? I have StatCounter set to ignore my home IP address, but if I am on my laptop, turn on the VPN for security, and browse my own galleries, sometimes my own visits to my own unlisted galleries get logged because I forgot to add the VPN servers' IP addresses to the StatCounter ignore list. They show up as whatever VPN server around the world that my computer got connected to that particular time, so if I am not paying attention, I might think somebody really did visit from the other side of the country when it was really just me at home.

BUT, I can also take my laptop to a friend's house or cafe and might find my own visits logged because I didn't enter those IP addresses into StatCounter. StatCounter does have a way to save you the trouble of always remembering to enter the IP addresses you are logging in from: the blocking cookie. If I make sure I set the StatCounter blocking cookie, my browser won't register my own visits no matter what IP address I am logging in from.

BUT, sometimes I forget that I should also add the StatCounter blocking cookie to the other web browsers I may be using to test my site, such as Firefox or Internet Explorer. So then Statcounter logs my own visits again until I notice and set the blocking cookie.

BUT, I sometimes forget that I have reset or deleted cookies on on browser or another to simulate the user experience on my site. When that happens, the StatCounter blocking cookie gets blown away and I might see my own visits logged again.

The point of the above 3 BUT paragraphs is that there are many ways for your own visits to be logged by StatCounter, by accident, which do not involve external hacking of any kind. Pay attention to your IP list and the blocking cookies in all browsers and StatCounter projects you use, and after verifying that your visit exclusions are set up properly, then maybe you can suspect hacking.

Andy

jfriend wrote:

It seems unlikely that someone from the outside would repeatedly crack both your site password and your gallery passwords.

I wonder if there's any chance that some person or agent at Smugmug (perhaps someone in a support capacity trying to help with something) is the one who's been to those galleries? They can get in without password.

Our visits wouldn't count, we're logged in as owners so you'll not see our visits count (if we've visited).

mbrady

Andy wrote:

Our visits wouldn't count, we're logged in as owners so you'll not see our visits count (if we've visited).

Statcounter would still log them though, even if the Smugmug stats don't.

jfriend

mbrady wrote:

Statcounter would still log them though, even if the Smugmug stats don't.

That is correct, and it's StatCounter hits that we're talking about here because the info includes location information (Utah) which is something Smugmug does not provide.

lisaonlocation

colourbox wrote:

About the original question, are you also using any kind of a proxy server or VPN? I have StatCounter set to ignore my home IP address, but if I am on my laptop, turn on the VPN for security, and browse my own galleries, sometimes my own visits to my own unlisted galleries get logged because I forgot to add the VPN servers' IP addresses to the StatCounter ignore list. They show up as whatever VPN server around the world that my computer got connected to that particular time, so if I am not paying attention, I might think somebody really did visit from the other side of the country when it was really just me at home.

BUT, I can also take my laptop to a friend's house or cafe and might find my own visits logged because I didn't enter those IP addresses into StatCounter. StatCounter does have a way to save you the trouble of always remembering to enter the IP addresses you are logging in from: the blocking cookie. If I make sure I set the StatCounter blocking cookie, my browser won't register my own visits no matter what IP address I am logging in from.

BUT, sometimes I forget that I should also add the StatCounter blocking cookie to the other web browsers I may be using to test my site, such as Firefox or Internet Explorer. So then Statcounter logs my own visits again until I notice and set the blocking cookie.

BUT, I sometimes forget that I have reset or deleted cookies on on browser or another to simulate the user experience on my site. When that happens, the StatCounter blocking cookie gets blown away and I might see my own visits logged again.

The point of the above 3 BUT paragraphs is that there are many ways for your own visits to be logged by StatCounter, by accident, which do not involve external hacking of any kind. Pay attention to your IP list and the blocking cookies in all browsers and StatCounter projects you use, and after verifying that your visit exclusions are set up properly, then maybe you can suspect hacking.

Wow that's a lot of info. Thanks everyone. To answer some questions. I do have blocking cookies set up on my statcounter for both my laptop and desktop. Also remember I personally have not gone to any of these galleries in many months because these clients have already made their purchases and been done with them. As I said someone would have to know multiple passwords for multiple galleries that are not only unlisted but password protected as well. I do suspect a hacker so I am going to take down the galleries in question, once again change my password and hope they leave me alone.

I was just wondering if there was a way for someone to see a list of pages available on a smugmug site and access them directly without going through the password page.

jfriend

lisaonlocation wrote:

I was just wondering if there was a way for someone to see a list of pages available on a smugmug site and access them directly without going through the password page.

If your site is password protected, then no listing of pages can be obtained without the site password. The only intended and known access without password would be by Smugmug employees who can see the same "logged in" view that you see.

Jetranger

Security
You need to be extremely careful when signing on to your account. By default it is set to remember your password. You have to remove the "Remember Me" flag to be secure. It defaults to saving your account password, the exact opposite way that it should work. So if you are ever on a computer that other people use (as all of mine are) then you have to remove that flag every single time you sign on, or all of your galleries and settings will be available to the next person or persons that go to your website.

This is a very serious bug that I have reported for more than 2 years now. It is very simple to fix, but there is some denial as to the importance of security. If they can save my password and sign on the next person automatically to my account, they can certainly ask if we want this power given to strangers. The default should be secure. I don't know about anyone else, but my photos are certainly worth protecting.

If you have ever signed on to a computer and NOT removed that flag, your photos are all at risk, and your password could even be changed. Just something to consider if you are having issues with security.

I have had other smuggers tell me that they were at a friends' house, signed on to their computer to make some account changes for the friend, and then driving home realized they had forgotten to remove that flag. This friend then will go right into his account with all the power that he has the next time they go to his website. Very dangerous for this to happen - especially by default.

This has happened to me as well. As an I.T. consultant to see something so simple and so obvious being ignored for so long is annoying. If someone is going to save my account password on a computer, I should ASK for this to be done. I should not have to select it to NOT be done EVERY TIME I sign on. And I mean EVERY SINGLE TIME.

I have offered several suggestions and very simple ways to improve security - being an I.T. Consultant - but they have been ignored for more than 2 years.

If this was what happened to you ... then you are very fortunate that you were able to change your password. If they knew how to change it - you could have been locked out of your own account, and all of your galleries deleted. Or worse, posted to public websites.

jfriend

Jetranger wrote:

You need to be extremely careful when signing on to your account. By default it is set to remember your password. You have to remove the "Remember Me" flag to be secure. It defaults to saving your account password, the exact opposite way that it should work. So if you are ever on a computer that other people use (as all of mine are) then you have to remove that flag every single time you sign on, or all of your galleries and settings will be available to the next person or persons that go to your website.

This is a very serious bug that I have reported for more than 2 years now. It is very simple to fix, but there is some denial as to the importance of security. If they can save my password and sign on the next person automatically to my account, they can certainly ask if we want this power given to strangers. The default should be secure. I don't know about anyone else, but my photos are certainly worth protecting.

If you have ever signed on to a computer and NOT removed that flag, your photos are all at risk, and your password could even be changed. Just something to consider if you are having issues with security.

I have had other smuggers tell me that they were at a friends' house, signed on to their computer to make some account changes for the friend, and then driving home realized they had forgotten to remove that flag. This friend then will go right into his account with all the power that he has the next time they go to his website. Very dangerous for this to happen - especially by default.

This has happened to me as well. As an I.T. consultant to see something so simple and so obvious being ignored for so long is annoying. If someone is going to save my account password on a computer, I should ASK for this to be done. I should not have to select it to NOT be done EVERY TIME I sign on. And I mean EVERY SINGLE TIME.

I have offered several suggestions and very simple ways to improve security - being an I.T. Consultant - but they have been ignored for more than 2 years.

If this was what happened to you ... then you are very fortunate that you were able to change your password. If they knew how to change it - you could have been locked out of your own account, and all of your galleries deleted. Or worse, posted to public websites.

I'm curious why you added this onto a 5 month old dead thread? FYI, you can't change an account password without re-entering the original password so this issue would not allow one to change your account password (or any other account level setting).

Security is always a trade-off between convenience and security. What you want to be the default is different than what others want and what they want is different than what you want. If you want, you could write a small script that would change the default value for the "remember" checkbox. I happen to like that the default is to remember my password because I rarely use public computers so this default saves me time and doesn't compromise my security at all.