Huge (possibly new) Security Loophole involving right click protection

KQuinlan

While fixing other things on my site, I just noticed that the right click protection seems to be off for a good amount of my site. While logged out, at the folder level, nearly every "cover image can be right click downloaded" without any protection. Not only that, it is not downloading the thumbnail, it is directly downloading the maximum viewable size image. I assume this is something smugmug is currently messing with, because I did not notice it before right now, and havn't seen other posts about it. I did this in both IE and Chrome. Any ideas whats up?

-Kevin

KQuinlan

After a closer look, it appears to link to the largest file used to display the dynamically re-sized thumbnail. It seems to be the "L" size for all horizontal images, and the "xl" size for vertical images. Has this been there before, or did this just pop up while smugmug was fixing other bugs?

southeasternphotography

Security is broken!!!!!
I am able to click and drag thumbnails to my desk top. These are images that the gallery they are in are right click protected. And these images are large enough to satisfy any web image stealer who just want to use the image on a website. It even uses my original filename convention. This is a serious problem. I will be adding this to the BUG section if someone has not already done that. Also, I can drag the real image to my desktop, but it only shows an empty container file. It does not stop you in your tracks and give you the ERROR message about the file is protected.

To test this, I went to other peoples galleries and dragged thumbnail (nice size images) to my desktop with ease!!!!!!! WOW!!!!:wow

southeasternphotography

HIGH SECURITY ALERT - copying images
Whoops - was adding this thread and messed up. So, trying again.

Images used as the main Gallery Image can be copied (click drag and drop) to your desktop (on my Mac with Chrome). And not just from your website. I copied images from random sites as easy as pie including mine. I checked my particular galleries and right-click protection is ON. Copying a thumb from WITHIN the gallery gets you an url to the image/site. Copying the real image gets you an empty container file and not the legacy error message about not copying people's stuff. Now that the Gallery images are so large, the image copied is fairly large. These images are large enough for a web stealer to use easily on their own website or blog. The file even has it's original filename!

This stops me dead in my tracks from going live. To me this is one of those issues where the developers stop everything and attend to the security code. I hope a Hero will forward this asap.

How to duplicate:

Go to anyone's new live account. Go to a page that lists galleries. Click and drag any of the Gallery thumbs to your desktop (not from within the gallery). Voila! You now have their image.

Please fix this FAST!

I learned this from a post in the General Support section and added a comment there. Did not know then that it just seems to be the front end gallery image. Still there is the issue of not giving an error message when trying to copy the real protected file.

Anyway, the above statements are what I am seeing.

I was also able to copy the image I am using as a Header image (however I set that up) used at the top of all my pages. I am logged in, so maybne that is allowed. I am in Preview mode, not live.

southeasternphotography

Update: Seems the issue may be at the VIEW GALLERIES level. Please see the BUG section for clarification. Above said he could get whatever was the highest download size. I did not get that when copying my files. Mine are set to original and I did not get my original filesize. What I did get would be very usable on a website or blog.

phaserbeam

You do not even have to right click on an image or bypass the right-click-protection. In opera12 you can use the opera dragonfly (web developer tools). Then click on the photo so you get into the code. Click on the photo-url inside of the code and the photo will be shown in the resolution specified on the site. Now you can replace L with O/X3 and get the largest photo you allowed to download. Here original is not allowed for all photos so O will change back into X3 but at least you can download a larger photo then shown on screen. Works with FF23 also (just a bit different).
No right-click-protection message involved...

No real problem for me since i wasn't able to get the original file using the copy&paste from the devtools, and X3 might be viewed in browser and may copied from the browser cache on disk also.

southeasternphotography

Ouch!

thenickdude

southeasternphotography wrote: »

These images are large enough for a web stealer to use easily on their own website or blog

A "web stealer" only needs to take a screenshot of the page and all right-click protection is also bypassed. It's not worth stressing out over this little loophole in what is fundamentally a protection system that cannot protect anything - use watermarks instead.

phaserbeam

southeasternphotography wrote: »

Ouch!

Really not a "Security Loophole"... you can't protect a site against all possible methods to get photos. You just can make it more difficult for the normal user to get the photos. As i said, i was not able to download a original file, just the largest file that i allowed to download. Not a real problem for me.

mbonocore

KQuinlan wrote: »

While fixing other things on my site, I just noticed that the right click protection seems to be off for a good amount of my site. While logged out, at the folder level, nearly every "cover image can be right click downloaded" without any protection. Not only that, it is not downloading the thumbnail, it is directly downloading the maximum viewable size image. I assume this is something smugmug is currently messing with, because I did not notice it before right now, and havn't seen other posts about it. I did this in both IE and Chrome. Any ideas whats up?

-Kevin

Hi Kevin,

I have submitted this to the engineers. Please keep in mind that is copying your max viewable size, and nothing bigger. A screenshot of this photo in the Lightbox will provide the exact same size file. Watermarking would add additional security to your images against screen shot thieves. We have a great right up on this topic here.


Michael

mbonocore

Merged the two bug reports into one.

ablichter

Lamah wrote: »

A "web stealer" only needs to take a screenshot of the page and all right-click protection is also bypassed. It's not worth stressing out over this little loophole in what is fundamentally a protection system that cannot protect anything - use watermarks instead.

Exactly. So called "Right-click protection" is none. Whatever you set as the largest size of an image, this would be what someone can get, even in flash galleries. And there is nothing to do about it by the developers, as far I know.

@southerneastphotography
You have set your galleries (at least those I have visited right now) to "O" as largest size, so everyone can download your images in "O" - even when used in a Flash Gallery (old style I guess).
Mind the file name - from Portfolio-Avian-Birds:

denisegoldberg

I'd like to see the setting changed from "right click protection" to "right click warning".

With the wording as it is too many people think their images are protected. That's never been true. If an image is viewable in a browser it can be grabbed from the browser cache, and screen shots are also easy to do.

--- Denise

southeasternphotography

@ablichter - Thanks for the heads up on the file name. That was a boo-boo on my part. Should not have that file uploaded there! I work on my files, save a tiff, then a normal named jpg corresponding to the tiff name. Then, I rename the Original unmodified file with a "-O" at the end of it. Save those files. If I need to rework a file, I go to the "-O" and redo the modifications needed (or to the tiff if it is just a minor change - like a forgotten dust spot). So, I uploaded that by mistake! Thanks for the catch!

As far as copying files, I guess I have to back track and subdue myself. I went to the legacy system and found out I could click drag the main gallery image to my desk top. So, that copy issue (to me) was already there and just transferred to the new system. The legacy thumbs were smaller, thus it copies a smaller version than the new system bigger images.

Confused on several things:
1. How does screen capture get your largest image? Does not screen capture get a 72dpi/ppi file?

2. When I dragged the image to desktop, I was not getting Original size file. I get a 1.5x2inches or so file but resolution is at original 300ppi and pixels of 436x600. This is much smaller than the originals shot with a Nikon D200 or D700.

3. When trying to click drag the real image I get only an empty "spacer.gif" file. Click dragging the thumb gets me an url to the gallery and that file selected. So can you tell me why I can copy a "real" main gallery image with click drag? Why should it not give either the url or a "spacer.gif" file like the others?????

4. NOT AN ISSUE ANYMORE - At the top of my legacy site, I have an image of a nightime cannon firing. I cannot click drag that file. I can right-click and copy it, but it actually creates an url to the legacy site - not a captured image. I use that same file on my PREVIEW system. I CAN click drag that to my desktop...it DOES seem to bring the original file of that one to the desktop...ugh. NUTS, for some reason that gallery where the photo lives was NOT right-click protected. Fixed it and cannot copy that file anymore - user error. Maybe that was unprotected in legacy; but as stated, could not copy it in legacy. I don't want to modify legacy anymore so I will let that slide. So disregard this item...think I mentioned this "issue" earlier. My bad.

So, aside from all the ways to defeat protection out there and I understand that, it seems to me that SmugMug can at least stop the "easiest" stealing method of click drag with a spacer.gif or an url for the main gallery images.

ablichter

southeasternphotography wrote: »

@ablichter - Thanks for the heads up on the file name. That was a boo-boo on my part. Should not have that file uploaded there! I work on my files, save a tiff, then a normal named jpg corresponding to the tiff name. Then, I rename the Original unmodified file with a "-O" at the end of it. Save those files. If I need to rework a file, I go to the "-O" and redo the modifications needed (or to the tiff if it is just a minor change - like a forgotten dust spot). So, I uploaded that by mistake! Thanks for the catch!

As said, you have "O" enabled and by this some would be able to download any size. This has nothing to do with the specific image I mentioned in my former post.
I don't want to disclose the URLs, so see the attachment and mind sizes and PPI.

As far as copying files, I guess I have to back track and subdue myself. I went to the legacy system and found out I could click drag the main gallery image to my desk top. So, that copy issue (to me) was already there and just transferred to the new system. The legacy thumbs were smaller, thus it copies a smaller version than the new system bigger images.

This way you only copy what is in use / displayed as folder thumb or gallery thumb.

Confused on several things:
1. How does screen capture get your largest image? Does not screen capture get a 72dpi/ppi file?

Something like this, 98PPI here. 1.980px at 51 cm / 20.08'' width = 98PPI
But there are displays having more PPIs.

3. When trying to click drag the real image I get only an empty "spacer.gif" file. Click dragging the thumb gets me an url to the gallery and that file selected. So can you tell me why I can copy a "real" main gallery image with click drag? Why should it not give either the url or a "spacer.gif" file like the others?????

I Don't get you here. Forget about the drag and drop. When logged out, you might be able drag the spacer.gif only.

Once again to make it clear: people are able to download (in one way or the other) what ever you have defined as the largest size. They just have to find out about the URL.

The Natur -> Common Green Lizard gallery for example has only "L" as max size.

mbonocore

Thanks for the great info everyone. As we mentioned, if a thief wants your display image enough, they can get it. Watermarking is the best way to combat this, but of course, a good Photoshopper could do some good clone stamp work (or crop if it's on the corners) to get rid of a watermark.

As for the drag and drop of the gallery thumbnail, as Kevin originally reported, that will now save a Spacer.gif if someone tries to drag to the desktop.

Thanks everyone!

KQuinlan

Thanks Michael! That worked perfect, the right click protection is showing up in all of those areas now I appreciate all your hard work
-Kevin

mbonocore

KQuinlan wrote: »

Thanks Michael! That worked perfect, the right click protection is showing up in all of those areas now I appreciate all your hard work
-Kevin

You are most welcome Kevin!

southeasternphotography

Thanks a million mbonocore! Appreciate that!!!! From the Heros and the developers. Great job. And thank you Jorg (don't know how to get the dots over the "O" ) for your responses. Yeah, I have to rethink my maximum file sizes for downloading. There are times when I want the user to get the original...few and far between. So, I will have to go back and do the limitations. I can deal with those who need originals on a piecemeal basis. Thanks again for your "good humor" advice!!!

ablichter

southeasternphotography wrote: »

Thanks a million mbonocore! Appreciate that!!!! From the Heros and the developers. Great job. And thank you Jorg (don't know how to get the dots over the "O" ) for your responses. Yeah, I have to rethink my maximum file sizes for downloading. There are times when I want the user to get the original...few and far between. So, I will have to go back and do the limitations. I can deal with those who need originals on a piecemeal basis. Thanks again for your "good humor" advice!!!

You are welcome. Maybe you can offer "O"s via an unlisted or pwd-protected gallery.

ö = type ALT+0+2+4+6 on the num pad. But "o" is fine ;-)

David_S85

I can drag any image off my own site, of any size, along with its watermarking, as long as I am logged into Smugmug. If I log out, or try dragging an image off any one else's site, all I get is "Spacer.gif"

EDIT: Wait, um, this is interesting... I was just able to heist one of Sherlock's X2 (and X3) sized images, sans any watermark by simply dragging it to my desktop and can then save it. I did this while I was logged onto my own SM site, and also after I was logged off. Now, it does appear that Nicholas has right click protection turned off, as well as watermarks off, so this is why right click protection and watermarking is so important. Screenshot below. I could have made a movie of it, but I think the screenshot proves it is all too easy.

Now, I also tried dragging photos off select Flickr galleries, and no-can-do. So if they can make dragging impossible, can SM?

ablichter

David, what some shows on a website (what is browse able), is to download, either by drag and drop or a different method. But you dictate the size. Period.
Drag and drop does not work in here, when images are right-protected. It gives a spacer-2.gif only.

You mentioned Flickr: Some can drag and drop images which the owner has allowed download for. For the other some would have to find out the URL or use for example an Add-in made for it. Period.
See the video in which I show how to.

thenickdude

EDIT: Wait, um, this is interesting... I was just able to heist one of Sherlock's X2 (and X3) sized images, sans any watermark by simply dragging it to my desktop and can then save it. I did this while I was logged onto my own SM site, and also after I was logged off. Now, it does appear that Nicholas has right click protection turned off, as well as watermarks off, so this is why right click protection and watermarking is so important. Screenshot below. I could have made a movie of it, but I think the screenshot proves it is all too easy.

I don't use watermarks or enable "right-click protection" because they're both silly restrictions which degrade the quality of my work and make my galleries harder to navigate (there's plenty on the right click menu that isn't "save image as...", and about a hundred ways to save the image that don't involve right clicking). For the same reason, I'm happy to post X3 resolutions, and I'm keen to switch to X4 as soon as that's available. It simply makes images look stunning on the new Retina displays, so long as I'm super careful while shooting to maximise sharpness.

Additionally, the image you saved is actually available as a 100 megapixel panorama hosted on SmugMug, so X2 is tiny in comparison!

David_S85

I know full well of the other sneaky ways to swipe images, but I still feel right click protection isn't a bad idea, even if one posts hunormous images and doesn't watermark. I, for one, have discovered my images in a whole bunch of foreign sites and forums, and anything I can do to increase the time it takes to grab them, the better. Right click does nothing to the image display quality, and its just a on/off switch in gallery settings. Personal choice, really.

Oh, Nicholas, I read through your SM tutorials - great stuff. I see you've found an excellent method of working around the JS limitations in posting 180 x 360 immersive images. Great job!

joe graziano

What am I missing here? Why is it LiveBooks can use a flash player and copy protect the images? Sure screen grabbers will grab but let's be real..... copyright protection is of #1 importance to professional photographers. Unless SM only wants non-pro's on their site, fix the copy (right click) issue. No excuses folks..... just fix it.

Other than a screen grab.... someone please try to right click this image to recreate my test example.
http://www.scharetgpictures.com/#a=0&at=0&mi=2&pt=1&pi=10000&s=0&p=0

ablichter

joe graziano wrote: »

What am I missing here? Why is it LiveBooks can use a flash player and copy protect the images? Sure screen grabbers will grab but let's be real..... copyright protection is of #1 importance to professional photographers. Unless SM only wants non-pro's on their site, fix the copy (right click) issue. No excuses folks..... just fix it.

Other than a screen grab.... someone please try to right click this image to recreate my test example.
http://www.scharetgpictures.com/#a=0&at=0&mi=2&pt=1&pi=10000&s=0&p=0

You were missing what was said before about the righ-click thing, not only by Denise:

denisegoldberg wrote: »

I'd like to see the setting changed from "right click protection" to "right click warning".

With the wording as it is too many people think their images are protected. That's never been true. If an image is viewable in a browser it can be grabbed from the browser cache, and screen shots are also easy to do.
--- Denise

Whatever you believed in the past what the right-click thingy does, might be wrong. You show something in Internet, some can get it. Easy as that.

What you want us to do? Download those 1.800x1.197px pics behind the flash? Here we go:

EDIT: might be not clear or obvious, that images have to be transferred to the viewers computer in order for him to view them. By this they are at least to find in the browser cache:

Andy

joe graziano wrote: »

What am I missing here? Why is it LiveBooks can use a flash player and copy protect the images? Sure screen grabbers will grab but let's be real..... copyright protection is of #1 importance to professional photographers. Unless SM only wants non-pro's on their site, fix the copy (right click) issue. No excuses folks..... just fix it.

Other than a screen grab.... someone please try to right click this image to recreate my test example.
http://www.scharetgpictures.com/#a=0&at=0&mi=2&pt=1&pi=10000&s=0&p=0

http://www.moonriverphotography.com/Galleries/California-Ranch-Experience/i-7QQqgXP

ablichter

Andy wrote: »

http://www.moonriverphotography.com/Galleries/California-Ranch-Experience/i-7QQqgXP

?