Skip to main content

Google Photos and the unguessable URL

Google Photos and the unguessable URL


That public web address is more secure than it looks

Share this story

A few days after Google's big Photos rollout, a user on Reddit noticed something fishy. "I was browsing through my photos and wanted to see the full size of an image so I right-clicked," RossFletch wrote. That took him to an open URL, still accessible when he was in incognito mode. By the logic of Photos, the image should have been private — he hadn't clicked the share button — but through this URL, it was available to anyone who typed in the right string of characters. He even pulled the image using Wget, a web-scraper utility, routed through a virtual server to hide his identity. However he came at the URL, his picture still came up. "How is this possible when this image isn't shared with anyone?" Fletch asked.

But what looked like a vulnerability on Reddit is actually something much more complex and less hair-raising. Google uses this kind of private-but-shareable URL across a number of services, along with Facebook and other companies. The URLs aren’t a meaningful security problem — that is, it would be extraordinarily difficult to use this technique to spy on someone else's photos — but the system never fails to cause alarm when users stumble on it. As more and more of our photos are kept in walled gardens controlled by Google, Facebook, or Apple, conventions like the Share button have come to feel inseparable from ideas of security and privacy. As Photos looks to transcend those boundaries, it’s ended up confusing our ideas of what good privacy practices look like.

What looked like a vulnerability is actually something much more complex

So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you'd have to work through 10^70 different combinations to get the right one, a problem on an astronomical scale. "There are enough combinations that it's considered unguessable," says Aravind Krishnaswamy, an engineering lead on Google Photos. "It's much harder to guess than your password." Because web traffic for Photos is encrypted with SSL, it's also kept secret from anyone on the network who might be listening in.

More importantly, the photo isn't placed at that URL until you ask for it. Google Photos normally pulls its images through a more complex back-end system, but when a user right-clicks on one of their own images, Photos responds by placing the image at the designated public URL. Essentially, Google has reverse-engineered the right-click. By right-clicking, you’re summoning the image into existence at a public (though impossible to guess) URL, a rough equivalent of clicking a "Share" button. Google could probably be more transparent about this process, but since the URLs are functionally impossible to guess, you’re not much more exposed than you were before the click.

Google has reverse-engineered the right-click

The larger result is that only a tiny portion of Google Photos pictures are actually placed on public URLs. Google also has engineers on the lookout for anyone making scans or otherwise fishy requests from their servers, so if someone did try to scan through the duovigintillions of possible URLs, they would be blocked before getting through a couple million.

Being sure that no one will guess the URL at random, Google engineers are free to give significantly more freedom to anyone who has the URL. As RossFletch documented, you can access that same photo from another computer or another continent. You can give it to a friend or pull it through an automated scraper, and it will load just the same. For Google, that's a feature. Maybe you'd like to share the photo with a friend who doesn't have a Google account, or build an automated system to pull the photo onto another system.

In some sense, that's how passwords are supposed to work: as long as you've got the password, you don't need anything else. And unlike an account or a login, the string of characters can travel anywhere. "The value of URLs is that they're universal," says Vincent Mo, another lead engineer on Photos. "You can put it in a text message, you can put it in an email, you can put it on a webpage." Because we've been trained by two decades of right-clicking, it's also a system most web users already understand. It's that rarest of things: a genuinely open system.

"The value of URLs is that they're universal."

So why does it feel more like a hack than a feature? When Reddit stumbled onto the URLs, the group assumed they'd found something unauthorized, a hole Google had neglected to plug up. For the most part, it's because there was no clear sign of permission from Photos. The web is littered with "Share This" buttons, so it's strange to find a way to pull down a photo without one. Those buttons usually also lock you in a particular network, whether it's Facebook, Flickr, or even an all-purpose site like Tumblr. Even if you share more than you meant to, it's still theoretically confined to other people using the same service, or more specific channels like an email address or local file.

In that light, the Photos URL looks like a blank check. It can go anywhere, maybe even farther than you meant it to. If the service isn't in control, then who is? We're not used to systems that open, particularly from companies as big as Google, but once those services are cleaved off from social networks (like Photos was from Google+), that openness is the inevitable result. It’s a new kind of service, and it needs to be able to talk to everyone. The surprising thing may be that, without the sharing button, we need to learn a new way to use it.