Problem with images collected from a private gallery

aerialphoto · December 5, 2012

I have a new and conceivably (for me) serious problem.

I have a ton of private (unlisted) galleries that I show publicly by manually collecting the images OR in smart galleries that do it automatically by keyword.

I just happened to catch someone viewing images on one of those private/unlisted galleries that they shouldn't have been able to ever find. Turns out those collected images are now publicly showing "see photo in original gallery" with a link to the unlisted gallery. This has never been an issue before. The unlisted galleries stayed unlisted and there's never been a link to those galleries before.

Is this a change in Smugmug's software or a bug? If it's the way the system works then I need to go do some serious changes and quickly.

This image is a perfect example.

mishenka · December 5, 2012

wow... it is a serious security flaw in my opinion. I also have some public galleries that expose images from private albums, but those private albums are not only unlisted - they are also password protected. Interesting what SmugMug has to say to it.

aerialphoto · December 5, 2012

Password protecting still locks down the gallery. I can go in and add passwords to everything and it will effectively solve the problem, but the link to those protected galleries is still there. It's still a new problem though, I think.

Allen · December 5, 2012

The "see photo in original gallery" can probably be hidden with CSS.
But it's used in keyword and popular galleries also. So for each gallery you want it
hidden add one of these with the x's the gallery number. The .notLoggedIn is added
so you can see it when logged in so you'll easiely know where the photo came from.

.gallery_xxxxxxxxx .notLoggedIn #photoBy,
.gallery_xxxxxxxxx .notLoggedIn #photoBy,
.gallery_xxxxxxxxx .notLoggedIn #photoBy {display:none;}

Not perfect but better then nothing.

HeroOfCanton · December 5, 2012

aerialphoto wrote: »

Is this a change in Smugmug's software or a bug? If it's the way the system works then I need to go do some serious changes and quickly.

This is a bug in the system. The code Allen posted will hide that. I've raised this issue with QA several times, I will raise it with them again.

aerialphoto · December 5, 2012

HeroOfCanton wrote: »

This is a bug in the system. The code Allen posted will hide that. I've raised this issue with QA several times, I will raise it with them again. I agree that it is a severe hole in the security.

Thanks! Glad it's been confirmed. I was working on a temporary CSS solution too (thanks Allen).

Allen · December 5, 2012

Better idea, hide everywhere then add CSS to display only keyword and popular pages. Then
you don't have to list every gallery especially if you have a bunch.

aerialphoto · December 5, 2012

Thanks Al. I'm not worried about the keyword or popular pages really. I managed to hide it with ".notLoggedIn #photoBy {visibility:hidden;}", it'll do the trick for now

HeroOfCanton · December 7, 2012

I haven't had a chance to test this myself but QA is reporting that a fix went live on this earlier today.

aerialphoto · December 8, 2012

Yup - it appears fixed! Thanks Smugmug

Problem with images collected from a private gallery

Comments