Photo hosting site SmugMug apparently has a security issue which allows anyone to easily access other users' photos which have been marked as "private," reports Google Blogoscoped. What's worse, the folks at SmugMug are aware of the issue, but claim this is intended behavior, separating the notions of "privacy" and "security."
In a nutshell, the problem is this: if you set your photos as "private", they can still be accessed simply by URL manipulation; for example, I randomly typed in this URL "http://www.smugmug.com/gallery/1021" in my browser and got someone's gallery that, perhaps, was not intended for the whole world to see. It is possible to prevent this behavior by setting a special password for your image/gallery, but how many people understand this?
[img src="" caption="" credit="" alt=""]
Here's an excerpt from SmugMug's CEO Don MacAskill's long conversation with Google Blogoscoped:
"...we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).
At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question.