Private Gallery Photos Found in Google Search!

Umbris

I just found a link to my recent photos (hack/feed/RSS) in Google. This wouldn't be bad, but the landing page shows thumbnails from several password protected galleries in which I have selected "no" for hello world! and hello smuggers!

Link

This is really not good. Please help me make it stop!

Thanks

mbellot

Umbris wrote:

This is really not good. Please help me make it stop!

+1 on this. I just checked mine and was not happy...

Is there any way to completely disable RSS feeds, not just remove the link at the bottom of the page?

jfriend

mbellot wrote:

+1 on this. I just checked mine and was not happy...

Is there any way to completely disable RSS feeds, not just remove the link at the bottom of the page?

Are you guys sure about this? When I check the RSS feed on a password protected gallery, it does not return any data unless I'm logged in in this browser on that account or have recently entered the password for that gallery in this browser.

If I go to a virgin browser that isn't logged in to my account and hasn't recently supplied the password to the gallery, the RSS feed on a password protected gallery doesn't give me any data.

DrDavid

Were you guys logged into smugmug when you checked? It'll show the private gallery photos if you are authenticated.. Try using a totally different browser that does NOT have you logged in and see if you can see the private photos then.

I suspect you won't be able to. At least, I *hope* you wont be able to!

David

Andy

Jfriend is correct. Be sure you are viewing in a non-logged in browser. When I go to your feed url link you gave, I get no private photos in my logged out browser.

Umbris

That was it...Thanks
You're right, that was the issue. I did not realize that it worked that way.

Thanks for the clarification and sorry for the panic.

mbellot

Andy wrote:

Jfriend is correct. Be sure you are viewing in a non-logged in browser. When I go to your feed url link you gave, I get no private photos in my logged out browser.

OK, but there is still a problem...

I'm using the hack to hide categories and subcategories so I don't have to hide a bunch of galleries and deal with breadcrumb problems.

Since the galleries are public and only hidden by virtue of the hack hiding their category/subcategory they do show up in the RSS feed.

Which brings me back to my question.

Is there a way to actually disable the RSS feed completely?

Andy

mbellot wrote:

Is there a way to actually disable the RSS feed completely?

Only by making galleries private, or your site private.

mbellot

Andy wrote:

Only by making galleries private, or your site private.

But if I make the galleries private (unlisted) then nobody can see them without a direct link (or share group link). Creating a share group works, but as soon as you try to use the breadcrumbs to navigate things go south quickly.

The scenario I'm stuck in the middle of right now is this...

I am taking pictures for a grade school variety show. The PTA (understandably) doesn't want the pictures viewable to random site visitors.

I managed to figure out how to hide categories and subcategories using the hacks posted here on DGrin (and some tweaking for subcategories).

I then created a custom category with a custom subcategory (to prevent random trolling of known SmugMug categories) and hid them.

Parents are given a vanity URL (another great hack) in the school newsletter so they can land directly on the subcategory page.

Since the 30 or so galleries are two levels deep, using unique and hidden category and subcategory values I thought it would be reasonably safe to leave them public so breadcrumbs would function normally.

But along comes RSS feeds and blows that out of the water... Grrr!

Why can't I turn them (feeds) off without having to take my whole site private? Seems like that should be my choice...

jfriend

mbellot wrote:

But if I make the galleries private (unlisted) then nobody can see them without a direct link (or share group link). Creating a share group works, but as soon as you try to use the breadcrumbs to navigate things go south quickly.

The scenario I'm stuck in the middle of right now is this...

I am taking pictures for a grade school variety show. The PTA (understandably) doesn't want the pictures viewable to random site visitors.

I managed to figure out how to hide categories and subcategories using the hacks posted here on DGrin (and some tweaking for subcategories).

I then created a custom category with a custom subcategory (to prevent random trolling of known SmugMug categories) and hid them.

Parents are given a vanity URL (another great hack) in the school newsletter so they can land directly on the subcategory page.

Since the 30 or so galleries are two levels deep, using unique and hidden category and subcategory values I thought it would be reasonably safe to leave them public so breadcrumbs would function normally.

But along comes RSS feeds and blows that out of the water... Grrr!

Why can't I turn them (feeds) off without having to take my whole site private? Seems like that should be my choice...

I take lots of pictures for the school and kid sports teams. I password protect the galleries with a password that's easy for anyone who knows the school or team to remember. It works great and nobody has ever complained or said they had trouble getting in. The password on the gallery blocks RSS feeds, any search engine, public API access and everything else. Further, multiple galleries all with the same password will only prompt once for that password so it works well for the viewer even if you have more than one gallery with the password.

Keep in mind that even if RSS feeds were blocked, the Smugmug API could still see those galleries because they are public galleries. If you don't want the galleries to be public, then you can't make them public. There are lots of different ways in to public galleries by design (home page, RSS, API, search, etc...). Also keep in mind that the SmugIslands feature only keeps out well-behaved search engines that choose to respect a "no-search" directive. It doesn't keep other crawlers out.

mbellot

jfriend wrote:

I take lots of pictures for the school and kid sports teams. I password protect the galleries with a password that's easy for anyone who knows the school or team to remember. It works great and nobody has ever complained or said they had trouble getting in. The password on the gallery blocks RSS feeds, any search engine, public API access and everything else. Further, multiple galleries all with the same password will only prompt once for that password so it works well for the viewer even if you have more than one gallery with the password.

Keep in mind that even if RSS feeds were blocked, the Smugmug API could still see those galleries because they are public galleries. If you don't want the galleries to be public, then you can't make them public. There are lots of different ways in to public galleries by design (home page, RSS, API, search, etc...). Also keep in mind that the SmugIslands feature only keeps out well-behaved search engines that choose to respect a "no-search" directive. It doesn't keep other crawlers out.

Good info. I knew passwords worked that way, but the PTA wanted to avoid using a password since it would invariably cause some percentage of calls asking for it, but maybe that really is the best way for security purposes.

Time for another go-round with the PTA...

FWIW - I still think feeds should be something I decide to enable, even for public stuff.

Allen

mbellot wrote:

Good info. I knew passwords worked that way, but the PTA wanted to avoid using a password since it would invariably cause some percentage of calls asking for it, but maybe that really is the best way for security purposes.

Time for another go-round with the PTA...

FWIW - I still think feeds should be something I decide to enable, even for public stuff.

If you only want the search and feeds to not work and don't care if someone finds the gallery.
Put the password in the hint to tell them what it is.:D
Say "type this in password box above".

jfriend

mbellot wrote:

Good info. I knew passwords worked that way, but the PTA wanted to avoid using a password since it would invariably cause some percentage of calls asking for it, but maybe that really is the best way for security purposes.

Time for another go-round with the PTA...

FWIW - I still think feeds should be something I decide to enable, even for public stuff.

You can certainly ask for blocking RSS feeds (that's up to Smugmug), but just realize that the following doors are open for a public gallery, regardless of whether RSS feeds are enabled or not:

• The gallery is listed in your site's HTML, even if you have hidden it. Any crawler or hacker or site scaper will see it.
• The gallery is available via the API when public galleries are listed for your site.
• The gallery is visible on the web to anyone with the gallery number.
• The gallery is visible to anyone using any of the third party products that use the non-logged in part of Smugmug's API.

As you can see, turning off RSS feeds isn't really very effective for blocking access. It's kind of like locking one of your four doors and leaving the other three wide open. And, you'd have to kind of know what you were doing to get the RSS feed anyway (insert gallery number in a properly formatted RSS URL), so if you are that knowledgable, then you probably could figure out one of the other methods.

Alan's suggestion is an interesting one. I've thought of using that one before for certain things. It's kind of like a Turing test or a Captcha in that it lets humans in, but not computers or automated scripts.