Possible security issue

flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
edited May 17, 2008 in SmugMug Support
Hello,

I got an answer on my last question on the "APIs, Hacks and Tricks" forum on how to get the original of your image when the gallery is set to not show any originals. The answer was to use the OriginalURL. This gave me the following URL (parts of URL xxxx-ed out).

http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285xxxxxxxxxxxxxxxxxxxxxxxx00db-2.jpg

I pasted this into my browser (FireFox, IE) and the browser showed me the original image. This is fine, but i was not logged in!

Should the URL above show allow the user to see the original image if the user is not the owner of the image (i.e. the user is not logged in or logged in as someone else)?
I can't grasp the notion of time.

When I hear the earth will melt into the sun,
in two billion years,
all I can think is:
    "Will that be on a Monday?"
==========================
http://www.streetsofboston.com
http://blog.antonspaans.com

Comments

  • richWrichW Registered Users Posts: 941 Major grins
    edited May 16, 2008
    The largest image you should be able to get is the size you have selected in the gallery settings. If Medium is the largest display size, that should be the biggest you can get even if you change the url to original.

    Medium set in the gallery settings where this image is. This should be a 600x375 image: http://www.smugmug.com/photos/230466181_vo3Sn-O.jpg

    The Original size: 4446px x 2780px

    Is the url you are using different than the one above? If so, could you email it to the help desk so we can take a look: http://www.smugmug.com/help/emailreal
  • flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
    edited May 16, 2008
    I don't mind if this one gets nicked from the internets.:D

    This URL is obtained by first logging in, then executing the images.getInfo API call (smugmug API) and obtaining the OriginalURL attribute.

    http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d087089c18f10dd2a0eaf00db-2.jpg

    The security issue is small, because it is hard to guess the 3285b15... ...00db value, but still... you can get the image even when logged out.

    This image above is from a gallery that allows only Large images to be shown: http://www.streetsofboston.com/gallery/994065
    I can't grasp the notion of time.

    When I hear the earth will melt into the sun,
    in two billion years,
    all I can think is:
        "Will that be on a Monday?"
    ==========================
    http://www.streetsofboston.com
    http://blog.antonspaans.com
  • PBolchoverPBolchover Registered Users Posts: 909 Major grins
    edited May 16, 2008
    That URL doesn't work for me (perhaps you forgot to log out before testing it)

    The URL http://flyingdutchie.smugmug.com/photos/45469061_by3hY-O.jpg gives a Large-sized image
  • flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
    edited May 16, 2008
    PBolchover wrote:
    That URL doesn't work for me (perhaps you forgot to log out before testing it)

    The URL http://flyingdutchie.smugmug.com/photos/45469061_by3hY-O.jpg gives a Large-sized image

    Indeed, the one ending in '-O.jpg' gives you only a large version of the image. But the URL that i posted (the one ending in '00db-2.jpg') gives you the full-sized version.
    I can't grasp the notion of time.

    When I hear the earth will melt into the sun,
    in two billion years,
    all I can think is:
        "Will that be on a Monday?"
    ==========================
    http://www.streetsofboston.com
    http://blog.antonspaans.com
  • ivarivar Registered Users Posts: 8,395 Major grins
    edited May 16, 2008
    Indeed, the one ending in '-O.jpg' gives you only a large version of the image. But the URL that i posted (the one ending in '00db-2.jpg') gives you the full-sized version.
    Not for me it doesn't ne_nau.gif Are you sure the image was not cached? Did you try a different system or clean browser?
  • PBolchoverPBolchover Registered Users Posts: 909 Major grins
    edited May 16, 2008
    Except that I can't retrieve the URL ending in '00db-2.jpg'. I suspect that it only works when logged in.
  • flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
    edited May 16, 2008
    PBolchover wrote:
    Except that I can't retrieve the URL ending in '00db-2.jpg'. I suspect that it only works when logged in.

    In case dgrin mangled the URL:
    http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d087089c18f10dd2a0eaf00db-2.jpg
    
    I can't grasp the notion of time.

    When I hear the earth will melt into the sun,
    in two billion years,
    all I can think is:
        "Will that be on a Monday?"
    ==========================
    http://www.streetsofboston.com
    http://blog.antonspaans.com
  • flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
    edited May 16, 2008
    ivar wrote:
    Not for me it doesn't ne_nau.gif Are you sure the image was not cached? Did you try a different system or clean browser?

    Here is what i get when i use graburl.exe for this image:
    C:\>graburl -h http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d08
    7089c18f10dd2a0eaf00db-2.jpg
    HTTP/1.0 200 OK
    Date: Fri, 16 May 2008 20:52:39 GMT
    Server: Apache
    X-SmugID: 27.27.208
    ETag: "3285b15d087089c18f10dd2a0eaf00db"
    X-Robots-Tag: noarchive, noindex, nosnippet
    X-Powered-By: smugmug/1.2.1
    Last-Modified: Wed, 02 May 2007 03:56:40 GMT
    Expires: Mon, 18 May 2009 20:52:39 GMT
    Cache-Control: public
    Content-Length: 2452662
    X-FS: T
    Connection: close
    Content-Type: image/jpeg
    

    graburl is not using any cookies or any caching. It just retrieves the direct http-respsonse.

    You'll see the content length is 2,42,662. This is the size of the original image. Removing the -h option downloads the actual original image.
    I can't grasp the notion of time.

    When I hear the earth will melt into the sun,
    in two billion years,
    all I can think is:
        "Will that be on a Monday?"
    ==========================
    http://www.streetsofboston.com
    http://blog.antonspaans.com
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited May 16, 2008
    Here is what i get when i use graburl.exe for this image:
    C:\>graburl -h http://flyingdutchie.smugmug.com/photos/45469061_by3hY-3285b15d08
    7089c18f10dd2a0eaf00db-2.jpg
    HTTP/1.0 200 OK
    Date: Fri, 16 May 2008 20:52:39 GMT
    Server: Apache
    X-SmugID: 27.27.208
    ETag: "3285b15d087089c18f10dd2a0eaf00db"
    X-Robots-Tag: noarchive, noindex, nosnippet
    X-Powered-By: smugmug/1.2.1
    Last-Modified: Wed, 02 May 2007 03:56:40 GMT
    Expires: Mon, 18 May 2009 20:52:39 GMT
    Cache-Control: public
    Content-Length: 2452662
    X-FS: T
    Connection: close
    Content-Type: image/jpeg
    

    graburl is not using any cookies or any caching. It just retrieves the direct http-respsonse.

    You'll see the content length is 2,42,662. This is the size of the original image. Removing the -h option downloads the actual original image.



    This is by design. You can only get this URL by authenticating that you are the owner of the image, so there's no security risk unless you spread the URL around yourself. Make sense?
  • flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
    edited May 16, 2008
    Andy wrote:
    This is by design. You can only get this URL by authenticating that you are the owner of the image, so there's no security risk unless you spread the URL around yourself. Make sense?

    I understand. :D
    Guessing the MD5-sum part of this URL is very tricky. But since all other URL requests are guarded with a login-cookie, why not this one.
    I can't grasp the notion of time.

    When I hear the earth will melt into the sun,
    in two billion years,
    all I can think is:
        "Will that be on a Monday?"
    ==========================
    http://www.streetsofboston.com
    http://blog.antonspaans.com
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited May 17, 2008
    I understand. :D
    Guessing the MD5-sum part of this URL is very tricky. But since all other URL requests are guarded with a login-cookie, why not this one.
    So we can do things like send Originals off to the lab for print, etc.
  • DrDavidDrDavid Registered Users Posts: 1,292 Major grins
    edited May 17, 2008
    I understand. :D
    Guessing the MD5-sum part of this URL is very tricky. But since all other URL requests are guarded with a login-cookie, why not this one.
    The URL can't be guessed. You can only get the URL while logged in to begin with. So, it's not like someone could just query for all the original filenames and download them all.....

    Unless someone can demonstrate a CSS (cross site scripting, not cascading style sheets.. Laughing.gif ) or similar attack to trick a user into authenticating for the purpose of running the get original url api command, this is a total non-issue in my book.

    David
  • flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
    edited May 17, 2008
    Andy wrote:
    So we can do things like send Originals off to the lab for print, etc.

    This is a very good reason! :D
    I can't grasp the notion of time.

    When I hear the earth will melt into the sun,
    in two billion years,
    all I can think is:
        "Will that be on a Monday?"
    ==========================
    http://www.streetsofboston.com
    http://blog.antonspaans.com
  • flyingdutchieflyingdutchie Registered Users Posts: 1,286 Major grins
    edited May 17, 2008
    DrDavid wrote:
    The URL can't be guessed. You can only get the URL while logged in to begin with. So, it's not like someone could just query for all the original filenames and download them all.....

    Unless someone can demonstrate a CSS (cross site scripting, not cascading style sheets.. Laughing.gif ) or similar attack to trick a user into authenticating for the purpose of running the get original url api command, this is a total non-issue in my book.

    David

    That's right... the chance of someone guessing this URL is really small.
    And if someone gets my smugmug credentials, i have more things to worry about than just him/her running the getURLs or getInfo command :D
    I can't grasp the notion of time.

    When I hear the earth will melt into the sun,
    in two billion years,
    all I can think is:
        "Will that be on a Monday?"
    ==========================
    http://www.streetsofboston.com
    http://blog.antonspaans.com
  • DrDavidDrDavid Registered Users Posts: 1,292 Major grins
    edited May 17, 2008
    That's right... the chance of someone guessing this URL is really small.
    And if someone gets my smugmug credentials, i have more things to worry about than just him/her running the getURLs or getInfo command :D
    Not only do they need the MD5 hash, but they ALSO need the 5 digit security key. And, even if they spend a few hundred years getting ONE photo that way, the odds that they can ever get more than one is so insignificantly small that it would be easier to just hack into your account by trying all the password combinations it can....

    Which brings me to a question: does smugmug limit the number of authentication attempts within a given time period?

    David
Sign In or Register to comment.