Security Concerns

SamirDSamirD Registered Users Posts: 3,474 Major grins
edited October 25, 2016 in SmugMug API Support & Integrations
I just ran https://api.smugmug.com/api/v2/user/<username>!albums on my SM username. Every single one of my thousand+ galleries are unlisted. Without any type of authentication, I saw a list of albums and then was able to find the weburl of them with one click and then view the album.

Is this the intended functionality? :scratch If so, it presents a serious security flaw for unlisted galleries that are not password protected.
Pictures and Videos of the Huntsville Car Scene: www.huntsvillecarscene.com
Want faster uploading? Vote for FTP!

Comments

  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited October 25, 2016
    SamirD wrote: »
    I just ran https://api.smugmug.com/api/v2/user/<username>!albums on my SM username. Every single one of my thousand+ galleries are unlisted. Without any type of authentication, I saw a list of albums and then was able to find the weburl of them with one click and then view the album.

    Is this the intended functionality? <img src="https://us.v-cdn.net/6029383/emoji/headscratch.gif&quot; border="0" alt="" > If so, it presents a serious security flaw for unlisted galleries that are not password protected.

    Hi Samir,

    I just checked and was unable to reproduce this behavior. If you're logged into smugmug and use the live API browser, you're effectively authenticated. Try again in a logged out browser or incognito window and let us know if you're still seeing all the albums.
    Pedal faster
  • SamirDSamirD Registered Users Posts: 3,474 Major grins
    edited October 25, 2016
    bwg wrote: »
    Hi Samir,

    I just checked and was unable to reproduce this behavior. If you're logged into smugmug and use the live API browser, you're effectively authenticated. Try again in a logged out browser or incognito window and let us know if you're still seeing all the albums.
    Thank you for the quick reply. It's amazing how that rainbow puking unicorn stirs up so much nostalgia...rolleyes1.gif I didn't even realize 10 years have gone by. eek7.gif

    It didn't occur to me that being logged in would automatically authenticate me for the api. Sorry about that. I was able to confirm that no albums were shown in the api reply when I wasn't logged it. thumb.gif
    Pictures and Videos of the Huntsville Car Scene: www.huntsvillecarscene.com
    Want faster uploading? Vote for FTP!
  • SamirDSamirD Registered Users Posts: 3,474 Major grins
    edited October 25, 2016
    So in a question--how come the api would only show 50 galleries when it did return a list? Did I miss something to make it return all albums?
    Pictures and Videos of the Huntsville Car Scene: www.huntsvillecarscene.com
    Want faster uploading? Vote for FTP!
Sign In or Register to comment.