Private Photos on Google+ and Facebook are only protected by random characters

If you are using an Android device you may have configured it to automatically upload photos that you make using the device to Google Plus.

 

Those photos are not available to the public by default, but only to you. Google notes on a help page that this is the highest level of privacy as the web albums -- read your photos -- are only visible to the user who created them.

You can change the visibility of individual photos so that they become visible by a group of people or the public.

What you probably do not expect is that all your private photos are only protected by random characters but not by access restrictions.

If you find out the folder and file structure, by chance or brute forcing in the wild, you can access private photos of Google Plus users without problem.

Here is the full url structure of the link: https://lh4.googleusercontent.com/-bP0oitsdun0/UJJAJ17wtHI/AAAAAAAAAVY/…

As you can see, quite a few random folders and characters are part of the address.

Note:  The random characters used in the file path make it very unlikely that someone would go through length to brute force private photos on Google Plus. Still, since there does not seem to be any restriction in place to prevent direct access to private photos, it is something that you should be aware of if you are using Google's service.

Want an example? Here is a private photo that I have uploaded to Google Plus. You can click on the link to open it in your browser of choice. You do not need to be signed in to a Google account to do so.

Test this yourself

Want to test this yourself to see if your photos are vulnerable? Do this:

1. Open the photos browser on Google Plus.
2. Locate a photo that you have not shared with anyone on this page or create a new one by uploading one to the service.
3. If you use Firefox, right-click on the image and select "copy image location".
4. If you use Google Chrome, right-click on the image and select "copy image url".
5. If you use Opera 15+, right-click on the image and select "copy image address".
6. If you use Internet Explorer, right-click on the image and select "copy".
7. Paste the information in a different browser, or in a private browsing window. The image should load just fine, even if you are not signed in to your Google account.

Deactivate photo upload

You can disable auto backup of photos that you take using the Google Plus application on your device. Here is how you do so on Android.

1. Open the Google+ app on the device.
2. Tap on the settings icon in the top right corner and select settings from the menu.
3. Tap on Auto Backup on the next page.
4. Switch Auto Backup from On to Off at the top.

Facebook

Photos on Facebook use the same mechanics. When you upload photos to the social networking site and set them to be visible to "only me", you would expect them to be protected even from lucky guesses or brute forcing.

You can copy any private photo url on the site and open it in another browser that is not linked to your Facebook account, and it works just as good as it does on Google Plus.

The url is reasonably long as well on Facebook, but if you want to make sure that your private photos are indeed this, you should not upload them to the site in first place as anyone with the right url may open them.

Closing Words

Some users may not see this as a problem, as the length of the random characters makes it unlikely that someone successfully brute forces or guesses photo urls. Even if they do, they cannot link the photos to particular users on the site.

Privacy conscious users on the other hand may demand better protection of their private photos on the two social networking sites.