Question
In the Flickr privacy settings page there's a setting entitled "Who can access your original image files?". If I set this to anything other than "Anyone" (e.g. "Only you" or "Your contacts"), is it still possible for an unauthorised user to access the original image without someone giving them the URL for it? (Assume that my original photo is larger than 1024px, so there's an Original version distinct from the Large version. Also assume it's not Creative Commons licensed.)
I'm well aware that once an image has appeared in their browser, a determined user can easily download it regardless of any disincentives (e.g. JavaScript blockers) the browser tries to put in their way. However, I believe the following are correct:
An unauthorised user will just see an error page if they try to view the Original Size page on Flickr (e.g. this page).
Although the URL of that page is easily guessable (just add
sizes/o/to the end of the regular photo page URL), the URL of the actual original image file has a random component and cannot easily be guessed.
There are plenty of people on Flickr and elsewhere saying the disable download setting is useless, but I haven't seen any proof. Does anyone know for certain that it can be bypassed? If you say yes, I'll expect you to prove it by sending me the original size of my latest image! (It's meant to be available to friends & family only - so not you, Uncle Goober...)
Some context: I should point out I'm not looking to steal photos, I'm trying to understand how safe mine are, specifically with regard to this geofences loophole that was reported today.
Answer
I did some investigation on my own, using my own flickr account and a non-logged in browser.
Here's the All Sizes page for one of my photos.
Prior to me changing the "Who can access your original image files?" setting in Privacy & Permissions, a generic Internet user could see the "Original" link in addition to the other sizes. That page had an <img> tag that linked to this url. The "All Sizes" page also had a link that said Download the Original size of this photo. (If you check the URLS, note that there's a _d suffix on the file name; Flickr will see this and trigger the HTTP header that tells the browser to download instead of display the image).
For comparison, here's the Large size page and the corresponding image URL.
Then I changed the privacy setting, cleared the cache on my non-logged-in browser, and recheceked the links. Here's what I found:
- The link to the original size page now redirects to the large size page. That's reasonable.
- The All Sizes page didn't have the Original size links any more, as expected.
- I was still able to download the original size image
- This is a bit surprising. It means that, while there's access restrictions on the pages containing the images, theres no security on the images themselves.
- As a web developer I can understand why they probably did this. The images are large and static and probably served via a content delivery network. It's faster/more efficient to not check permissions for image files; you can simply host them on a "dumb" web server that way.
So, once the URL for the original file is known, there's no way to stop someone from downloading the original version of the file (short of deleting it entirely... and that may not even work. I didn't try).
One last issue: how guessable are the original file URLS? Here they are side-by-side:
Large: http://farm7.static.flickr.com/6126/6044833128_cc02cf41e3_b.jpg
Original: http://farm7.static.flickr.com/6126/6044833128_3b8eac89d7_o.jpg
So, the suffix (_b or _o) determines the size, but there's also another element in the filename that varies depending on the size. You can't just change the suffix to flip sizes. Here's the URL for the Large version with the suffix switched to _o; it doesn't work.
If I was Flickr, I'd make sure that that middle element was completely random per photo size, and hence unguessable except by brute force attack. It's 40 bits long, so there's a lot (2^40, ~1 Trillion) of possible options. It's very unlikely anyone would bother to brute-force that segment just to get the original size version of a file... when they already have the large version.
So, as long as you've turned off the "Original file download" feature and you don't share the URLs of the original images, I'd say that the Flickr feature is pretty secure. If it breaks, it's pretty much your own fault.
Check more discussion of this question.
No comments:
Post a Comment