Password Protected Gallery Showing Up On Search Engine

AperturePlus

How does this happen?

I noticed in Statcounter that some visits had come from a site called pictures.com

Then I realised that if I searched by my generic tag that I put on all my images (apertureplus), that images from an event that is password protected are showing up as well.

This is of real concern to me, as the event in question was put up for an orphanage that I did a shoot at a couple of weeks back, for the minders of these children to chose the shots that they wanted.

We have really strict laws in our country pertaining to the public display of child images and anyone contravening these laws will be criminally prosecuted.

How did this search engine find this 'protected' gallery and display the images?

Thanks
Clive

AperturePlus

In fact - another password protected and unlisted gallery of mine is showing up here as well.

richpepp

Isn't that weird. It appears to only be thumbnails but they shouldn't be there either. Nor are there links to any of those images in either your sitemap or sitemap images files. The only way that I can imagine that they got there is either there was a delay between you uploading the images and putting the password on. If a site is picking up Smugmug images using an RSS feed then they may get the thumbnail before you have a chance to block it.

Other than that it would need one of the Smuggies to dive in

AperturePlus

Hi Richpepp. It is weird, isn't it and a bit concerning. The galleries that are showing up were both created and then protected before any uploading happened.

bobbyhero

Please reach out to the Heroes directly with as much info as you can provide, and we can take a look:
http://help.smugmug.com

WinsomeWorks

AperturePlus wrote: »

Hi Richpepp. It is weird, isn't it and a bit concerning. The galleries that are showing up were both created and then protected before any uploading happened.

It's not even just weird; it's VERY concerning and rather horrible. And it rots that you posted this several hours ago and there's still been no SmugMug response. Good grief, this could be very bad for a lot of people if it's not just you having the issue. I just can't believe how many issues there have been with password-protected & private galleries... Evidently a lot of messed-up coding there. (ETA: I see there's finally one response. It's a start.)

thenickdude

It looks like pictures.com just uses the search engine of a couple of other providers to display its results, and possibly aren't even caching results themselves. So which of the results columns do your password-protected images show up in?

Is the photo you're seeing the featured image (often just the first photo) of the gallery?

Did you ever collect photos from one of those unlisted galleries into a public one? There were some bugs (since fixed) that would have caused Google to cache links to your unlisted galleries if that occurred. If so, you can request Google to remove those pages from their index by signing up for Webmaster Tools.

The other way to break cached links to unlisted galleries is to rename your gallery (or the folder it's in), which will make those cached results for pages into 404s.

EDIT: I found those photos in the search results, they were in the SmugMug column! That means that SmugMug's search is currently returning those password-protected photos:

http://www.smugmug.com/search/

Just search for "apertureplus", I see them there! wtf! I would start by making that gallery Unlisted until SmugMug fixes it, which should hopefully remove them from the results.

Allen

Perhaps it is picking up the photos from the folder pages and only the passworded galleries in the folders are protected.
I don't password my main category like "family" and featured images show there.

AperturePlus

bobbyhero wrote: »

Please reach out to the Heroes directly with as much info as you can provide, and we can take a look:
http://help.smugmug.com

Hi Bobby

I think that this should be kept in the public domain, as it must affect many people here and they deserve to know about it, to take steps to avoid it!

AperturePlus

Lamah wrote: »

Is the photo you're seeing the featured image (often just the first photo) of the gallery?

Did you ever collect photos from one of those unlisted galleries into a public one? There were some bugs (since fixed) that would have caused Google to cache links to your unlisted galleries if that occurred. If so, you can request Google to remove those pages from their index by signing up for Webmaster Tools.

Hi Lamah. There are around 400 images in this gallery and all are returning in the search. The gallery was setup with security options in place before the images were uploaded into it. They are not collected from anywhere else. They only exist in this gallery.

Lamah wrote: »

EDIT: I found those photos in the search results, they were in the SmugMug column! That means that SmugMug's search is currently returning those password-protected photos:

http://www.smugmug.com/search/

Just search for "apertureplus", I see them there! wtf! I would start by making that gallery Unlisted until SmugMug fixes it, which should hopefully remove them from the results.

It is a MAJOR security breach for Smugmug and needs to be addressed as a matter of urgency. I have made the gallery unlisted now, but the results are the same. They have obviously been cached.

I would be interested to hear from others that use private or unlisted galleries to see if they are seeing the same thing? Search for a keyword that you know appears on an image of yours that is in a private gallery and see if you are seeing what I am seeing?

AperturePlus

I urgently need feedback on this one guys. You have a serious security hole.

thenickdude

In the gallery settings, try turning the world searchable and smugmug searchable options to "no". (Of course, it absolutely shouldn't be required to turn these off if the gallery has a password on it).

Did you end up contacting the support heroes as mentioned earlier? This'll let them know that there's an issue.

richpepp

In the gallery settings, try turning the world searchable and smugmug searchable options to "no".

That's interesting, I wonder if it's the smugmug one? I would doubt it is the world one as the images don't appear anywhere as thumbnails and they aren't anywhere in the sitemap files.

AperturePlus

Lamah wrote: »

In the gallery settings, try turning the world searchable and smugmug searchable options to "no". (Of course, it absolutely shouldn't be required to turn these off if the gallery has a password on it).

They have both been switched off at the time of the gallery creation, after which the images were uploaded.

richpepp

AperturePlus wrote: »

They have both been switched off at the time of the gallery creation, after which the images were uploaded.

Funnily enough I couldn't have imagined that you did anything else as you seem in control of the process . Guess we have to see what Smugmug say but I would think their RSS feed is the most likely now as the images were very small

thenickdude

It's not the RSS feed, you could see full-size images (any size you like!) by using SmugMug's search feature at http://www.smugmug.com/search

EDIT: Although when I try again now, I can no longer see those orphanage photos - did SmugMug fix that? Be sure to log out if you try it again. Of course they might just no longer be displaying because you marked the gallery as Unlisted.

WinsomeWorks

Lamah wrote: »

It's not the RSS feed, you could see full-size images (any size you like!) by using SmugMug's search feature at http://www.smugmug.com/search

EDIT: Although when I try again now, I can no longer see those orphanage photos - did SmugMug fix that? Be sure to log out if you try it again. Of course they might just no longer be displaying because you marked the gallery as Unlisted.

Still disturbing that 3 days have now gone by without another comment from SmugMug. And the only comment (from a Hero) at all didn't even make any suggestions about the problem. AperturePlus is correct; other SmugMuggers should be made aware if there's an issue, and should be seeing a solution here, and/or answers from SmugMug. People want to know if their passworded or private or unlisted galleries are safe in the ways they expect.

AperturePlus

I am getting miffed at the lack of response, other than to take it away from here.

Guys you need to reply to this. I am going to leave the images where they are for a further 12 hours and then remove them (and you then might not be able to trouble shoot this... unless you have known about it all along?)

Clive

Andy

AperturePlus wrote: »

I am getting miffed at the lack of response, other than to take it away from here.

Guys you need to reply to this. I am going to leave the images where they are for a further 12 hours and then remove them (and you then might not be able to trouble shoot this... unless you have known about it all along?)

Clive

The heroes will have to have a link to the gallery - and they will want to look at the settings. Have you emailed SmugMug Help directly?

ablichter

AperturePlus wrote: »

Hi Lamah. There are around 400 images in this gallery and all are returning in the search. The gallery was setup with security options in place before the images were uploaded into it. They are not collected from anywhere else. They only exist in this gallery.

What is the name of the gallery? When I search I got 404 images from the Everything-Gallery, which is not listed (in your menu) but a public one.

At least until 30.09.2013 there have been unprotected folders with "kids-haven" in their URL. They have been in another structure then, so you must have changed structure in meantime.
For example:
/Event-Favorites/Kids-Haven
/Event-Favorites/Kids-Haven/Adeles-Favorites -> latest modification: 2013-09-26
/Event-Favorites/Kids-Haven/Anitas-Favorites -> latest modification: 2013-09-03. So this have been public almost a month.
So to see in your sitemap as time writing - by own experience I can tell: password protected folders/galleries do NOT show up in sitemap.
Since your sitemap already is a week old it will be changed within the next ~12 hours.

AperturePlus

Thanks ablichter. That does explain something for me. The way I went about this was as follows:

I created the event in account settings as an unlisted and pw protected event and added two people to the event. I then uploaded the images into the event.

When the event is created, the participant's favourite galleries are automatically set up.

I have now gone and checked the settings on the 'favorites' galleries and I see that they are set to pubic. This must be where the issue is? One would have thought, that if a secured event is setup, that anything else created by the gui (ie. the participant's favorite galleries) would be secured as well. A bug as far as I am concerned.

Thanks for the help.

ablichter

AperturePlus wrote: »

Thanks ablichter. That does explain something for me. The way I went about this was as follows:

I created the event in account settings as an unlisted and pw protected event and added two people to the event. I then uploaded the images into the event.

When the event is created, the participant's favourite galleries are automatically set up.

I have now gone and checked the settings on the 'favorites' galleries and I see that they are set to pubic. This must be where the issue is? One would have thought, that if a secured event is setup, that anything else created by the gui (ie. the participant's favorite galleries) would be secured as well. A bug as far as I am concerned.

Thanks for the help.

As Andy said we need precise folder names or URLs to tell more about it. Not that I can check in case they are protected, but the Heros do.
The folder names I mentioned are not existing anymore... so its hard to tell even by what you are explaining, and I am afraid: as a portfolio user I can't create events and by this don't know the mechanism behind that.

In the morning I was able to search for "kids" on your site and two or three images came up, one of a colored boy, not in the normal galleries. I can't reproduce that anymore.
Good luck.