Did you know that your data on any #google product is available globally with a public URL? No password, no security, anything. Go to your google dashboard and request to download your data, after that you will see a JSON file for each photo you have, each message you sent or for anything you use inside google ecosystem from purchasing products to YouTube search history. You will see that public URL in that JSON file
@ggnoredo You can't even download your data as a JSON file... I can only get a zipfile containing the data slammed in something like my GDrive or Dropbox (or mailed to me or w/e)
@ggnoredo Hmm.. interesting... if I export my photos it indeed seems to give a public URL as well...
That's ehm... kinda bad yea...
@pedro Jepp :)
Here's one of the URLs I fished out of the JSON: https://lh3.googleusercontent.com/-9_tZJrWksoA/WzJHpCzXz9I/AAAAAAAADIY/052Wwo7DZsQPF4CKYWnftbY5FhwDqdyowCLABGAYYCw/s0-d/IMG_20180626_160245.jpg
@finlaydag33k freaking weird
@finlaydag33k nice laptop though :)
@pedro thnx :p
It's my old workhorse...
@ggnoredo @finlaydag33k @pedro @coy this is not an issue at all, most of the big sites do this to make sharing easier. The URLs are public but the length of the string acts as a sort of password. Calculate how many different combinations you can have with those characters and I assure you it would be a number too big to do anything with. Theres a reason why this discovery isnt big news that everybody knows
@coy Tbf... I'm literally writing a scraper/bruteforcer rn XD
@coy @finlaydag33k @ggnoredo @pedro you are not smarter than Google engineers, there's plenty of battles to easily win on privacy and this is not one of them. If you think those URLs are being scraped then you do not know enough about what you're talking about to comment. I'm really disheartened from trying to make points on and challenge people on here because it just falls on death ears. My points are ignored.
@teko I think you underestimate the issue here.
The issue is not about Google scraping the images but "malicious" people scraping the images.
It'll take a tremendous amount of resources to do so but the fact that it's actually possible like this is just mind boggling.
If those Google engineers really where that smart as you claim, they'd probably have this link only in there if it was a public image to begin with.
@finlaydag33k passwords can be cracked even though it would take 100 years, lets get rid of passwords
Their service is not made for you, its made for the mass amounts of people who like to share things and they get to benefit off using it for advertising and using it to train for ML
@finlaydag33k I was always fully aware that malicious actors were the point being raised and I've never given any indication that I misunderstood that
@teko There's a difference between passwords, which are fairly insecure by design and what's going on here.
Google as made the conscious choice of putting your image available publically, even if I didn't give consent to it.
If I clicked an image and set it to "public" or "unlisted" then I understand this url is available.
If I did not, however, it shouldn't.
Simple as that.
A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - welcome