Did you know that your data on any product is available globally with a public URL? No password, no security, anything. Go to your google dashboard and request to download your data, after that you will see a JSON file for each photo you have, each message you sent or for anything you use inside google ecosystem from purchasing products to YouTube search history. You will see that public URL in that JSON file

@ggnoredo You can't even download your data as a JSON file... I can only get a zipfile containing the data slammed in something like my GDrive or Dropbox (or mailed to me or w/e)

@pedro @ggnoredo downloaded it, looked in the JSON file... aaaaand nothing (tested with locationhistory).
So unless it has to be a specific one and/or there is a major difference between the exported for Country A and Country B, I'ma have to call bs on this one...

@finlaydag33k @pedro sorry but no. Please have a look at the screenshot that belongs to 1 of my photos in google photos. That url is public

@ggnoredo Hmm.. interesting... if I export my photos it indeed seems to give a public URL as well...

That's ehm... kinda bad yea...

@ggnoredo @finlaydag33k @pedro @coy this is not an issue at all, most of the big sites do this to make sharing easier. The URLs are public but the length of the string acts as a sort of password. Calculate how many different combinations you can have with those characters and I assure you it would be a number too big to do anything with. Theres a reason why this discovery isnt big news that everybody knows

@teko @pedro @finlaydag33k @ggnoredo >security by obscurity
It isn't big news because everyone expects this sort of behavior now, as if it were normal, which it is the new norm but it is not normal. I 100% guarantee you that those URLs are being scraped in large quantities just for the hell of it, for sensitive data, for blackmail, etc., to presume google or whoever has your best interests in mind is essentially suicide.

@coy Tbf... I'm literally writing a scraper/bruteforcer rn XD

@coy @finlaydag33k @ggnoredo @pedro you are not smarter than Google engineers, there's plenty of battles to easily win on privacy and this is not one of them. If you think those URLs are being scraped then you do not know enough about what you're talking about to comment. I'm really disheartened from trying to make points on and challenge people on here because it just falls on death ears. My points are ignored.

@teko I think you underestimate the issue here.
The issue is not about Google scraping the images but "malicious" people scraping the images.
It'll take a tremendous amount of resources to do so but the fact that it's actually possible like this is just mind boggling.

If those Google engineers really where that smart as you claim, they'd probably have this link only in there if it was a public image to begin with.

@finlaydag33k passwords can be cracked even though it would take 100 years, lets get rid of passwords

Their service is not made for you, its made for the mass amounts of people who like to share things and they get to benefit off using it for advertising and using it to train for ML

@finlaydag33k I was always fully aware that malicious actors were the point being raised and I've never given any indication that I misunderstood that

@teko There's a difference between passwords, which are fairly insecure by design and what's going on here.

Google as made the conscious choice of putting your image available publically, even if I didn't give consent to it.
If I clicked an image and set it to "public" or "unlisted" then I understand this url is available.
If I did not, however, it shouldn't.
Simple as that.

@teko @finlaydag33k @pedro @coy it doesn't matter. That picture was my private, Google can go fuck himself with their machine learning and 80 pages long privacy agreements

@selea: That's really freaking scary. I wonder what other services do that

Sign in to participate in the conversation

A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - welcome