Possible security issue

flyingdutchie · May 16, 2008

Hello,

I got an answer on my last question on the "APIs, Hacks and Tricks" forum on how to get the original of your image when the gallery is set to not show any originals. The answer was to use the OriginalURL. This gave me the following URL (parts of URL xxxx-ed out).

http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285xxxxxxxxxxxxxxxxxxxxxxxx00db-2.jpg

I pasted this into my browser (FireFox, IE) and the browser showed me the original image. This is fine, but i was not logged in!

Should the URL above show allow the user to see the original image if the user is not the owner of the image (i.e. the user is not logged in or logged in as someone else)?

richW · May 16, 2008

The largest image you should be able to get is the size you have selected in the gallery settings. If Medium is the largest display size, that should be the biggest you can get even if you change the url to original.

Medium set in the gallery settings where this image is. This should be a 600x375 image: http://www.smugmug.com/photos/230466181_vo3Sn-O.jpg

The Original size: 4446px x 2780px

Is the url you are using different than the one above? If so, could you email it to the help desk so we can take a look: http://www.smugmug.com/help/emailreal

flyingdutchie · May 16, 2008

I don't mind if this one gets nicked from the internets.:D

This URL is obtained by first logging in, then executing the images.getInfo API call (smugmug API) and obtaining the OriginalURL attribute.

http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d087089c18f10dd2a0eaf00db-2.jpg

The security issue is small, because it is hard to guess the 3285b15... ...00db value, but still... you can get the image even when logged out.

This image above is from a gallery that allows only Large images to be shown: http://www.streetsofboston.com/gallery/994065

PBolchover · May 16, 2008

That URL doesn't work for me (perhaps you forgot to log out before testing it)

The URL http://flyingdutchie.smugmug.com/photos/45469061_by3hY-O.jpg gives a Large-sized image

flyingdutchie · May 16, 2008

PBolchover wrote:

That URL doesn't work for me (perhaps you forgot to log out before testing it)

The URL http://flyingdutchie.smugmug.com/photos/45469061_by3hY-O.jpg gives a Large-sized image

Indeed, the one ending in '-O.jpg' gives you only a large version of the image. But the URL that i posted (the one ending in '00db-2.jpg') gives you the full-sized version.

ivar · May 16, 2008

flyingdutchie wrote:

Indeed, the one ending in '-O.jpg' gives you only a large version of the image. But the URL that i posted (the one ending in '00db-2.jpg') gives you the full-sized version.

Not for me it doesn't

Are you sure the image was not cached? Did you try a different system or clean browser?

PBolchover · May 16, 2008

Except that I can't retrieve the URL ending in '00db-2.jpg'. I suspect that it only works when logged in.

flyingdutchie · May 16, 2008

PBolchover wrote:

Except that I can't retrieve the URL ending in '00db-2.jpg'. I suspect that it only works when logged in.

In case dgrin mangled the URL:

http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d087089c18f10dd2a0eaf00db-2.jpg

flyingdutchie · May 16, 2008

ivar wrote:

Not for me it doesn't Are you sure the image was not cached? Did you try a different system or clean browser?

Here is what i get when i use graburl.exe for this image:

C:\>graburl -h http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d08
7089c18f10dd2a0eaf00db-2.jpg
HTTP/1.0 200 OK
Date: Fri, 16 May 2008 20:52:39 GMT
Server: Apache
X-SmugID: 27.27.208
ETag: "3285b15d087089c18f10dd2a0eaf00db"
X-Robots-Tag: noarchive, noindex, nosnippet
X-Powered-By: smugmug/1.2.1
Last-Modified: Wed, 02 May 2007 03:56:40 GMT
Expires: Mon, 18 May 2009 20:52:39 GMT
Cache-Control: public
Content-Length: 2452662
X-FS: T
Connection: close
Content-Type: image/jpeg

graburl is not using any cookies or any caching. It just retrieves the direct http-respsonse.

You'll see the content length is 2,42,662. This is the size of the original image. Removing the -h option downloads the actual original image.

Andy · May 16, 2008

flyingdutchie wrote:
Here is what i get when i use graburl.exe for this image:
C:\>graburl -h http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d08
7089c18f10dd2a0eaf00db-2.jpg
HTTP/1.0 200 OK
Date: Fri, 16 May 2008 20:52:39 GMT
Server: Apache
X-SmugID: 27.27.208
ETag: "3285b15d087089c18f10dd2a0eaf00db"
X-Robots-Tag: noarchive, noindex, nosnippet
X-Powered-By: smugmug/1.2.1
Last-Modified: Wed, 02 May 2007 03:56:40 GMT
Expires: Mon, 18 May 2009 20:52:39 GMT
Cache-Control: public
Content-Length: 2452662
X-FS: T
Connection: close
Content-Type: image/jpeg
graburl is not using any cookies or any caching. It just retrieves the direct http-respsonse.

You'll see the content length is 2,42,662. This is the size of the original image. Removing the -h option downloads the actual original image.

This is by design. You can only get this URL by authenticating that you are the owner of the image, so there's no security risk unless you spread the URL around yourself. Make sense?

flyingdutchie · May 16, 2008

Andy wrote:

This is by design. You can only get this URL by authenticating that you are the owner of the image, so there's no security risk unless you spread the URL around yourself. Make sense?

I understand.

Guessing the MD5-sum part of this URL is very tricky. But since all other URL requests are guarded with a login-cookie, why not this one.

Andy · May 17, 2008

flyingdutchie wrote:

I understand.
Guessing the MD5-sum part of this URL is very tricky. But since all other URL requests are guarded with a login-cookie, why not this one.

So we can do things like send Originals off to the lab for print, etc.

DrDavid · May 17, 2008

flyingdutchie wrote:

I understand.
Guessing the MD5-sum part of this URL is very tricky. But since all other URL requests are guarded with a login-cookie, why not this one.

The URL can't be guessed. You can only get the URL while logged in to begin with. So, it's not like someone could just query for all the original filenames and download them all.....

Unless someone can demonstrate a CSS (cross site scripting, not cascading style sheets..

) or similar attack to trick a user into authenticating for the purpose of running the get original url api command, this is a total non-issue in my book.

David

flyingdutchie · May 17, 2008

Andy wrote:

So we can do things like send Originals off to the lab for print, etc.

This is a very good reason!

flyingdutchie · May 17, 2008

DrDavid wrote:

The URL can't be guessed. You can only get the URL while logged in to begin with. So, it's not like someone could just query for all the original filenames and download them all.....

Unless someone can demonstrate a CSS (cross site scripting, not cascading style sheets.. ) or similar attack to trick a user into authenticating for the purpose of running the get original url api command, this is a total non-issue in my book.

David

That's right... the chance of someone guessing this URL is really small.
And if someone gets my smugmug credentials, i have more things to worry about than just him/her running the getURLs or getInfo command

DrDavid · May 17, 2008

flyingdutchie wrote:

That's right... the chance of someone guessing this URL is really small.
And if someone gets my smugmug credentials, i have more things to worry about than just him/her running the getURLs or getInfo command

Not only do they need the MD5 hash, but they ALSO need the 5 digit security key. And, even if they spend a few hundred years getting ONE photo that way, the odds that they can ever get more than one is so insignificantly small that it would be easier to just hack into your account by trying all the password combinations it can....

Which brings me to a question: does smugmug limit the number of authentication attempts within a given time period?

David

Possible security issue

Comments