Google Photos is sending your private shares public and you don’t even know it

July 15, 2019 by John Aldred 85 Comments

Researcher Robert Wiblin over at 80,000 Hours spotted something quite interesting about Google Photos recently. He noticed that privately shared links became publicly accessible. He told some friends who use Google Photos and they didn’t believe him. After all, why would Google allow such an oversight? Surely if you’re sharing privately with a specific person, then only that person can see it, right?

Apparently not. After doing a little digging, Robert was able to demonstrate that these privately shared links are publicly accessible from any Google account, or even if you’re not logged into Google at all – as shown when he was able to access a “private” shared link from an Incognito browser window.

Robert details the complete issue in a post over on Medium. About the video above, he says…

What have you just watched? If I go and share a photo with a specific other Google Account, I can use that link to view it in:

another Google Account it wasn’t shared with (25 seconds in), and;

an incognito window where I’m not logged into any Google Account at all (39 seconds in)!

If that ‘secret’’ link is ever revealed, anyone anywhere will be able to see it until I go and delete that specific sharing instance. And I’d have no way to find out that they were viewing it!

People constantly tell me I can’t be right about this — it’ll happen in the comments below, I promise — because the interface never indicates that this is going on. Nowhere did “Create shared URL” or anything similar appear in the video.

Furthermore, the interface looks very similar to Google Drive, which by default only lets people see a file when logged into the specific account it was shared with.

Drive also lists who a file is shared with when you click the share icon — so people using Photos naturally assume their photos are private when they see that nobody is listed when they click the ‘share’ icon.

One would expect that Google Photos would work the same way as Google Drive, given that until recently, the two were intrinsically linked. But that is not so. The behaviour we expect and the behaviour shown in Google Drive is not the same in Google Photos. The instant you share your private photo with anybody, then anybody else who can get hold of the URL is able to view it.

So, whereas Google Drive operates private shares in a similar fashion to “Private” videos on YouTube, Google Photos appears to be more like YouTube’s “Unlisted” videos, which are accessible to anybody with the link.

This method of operation isn’t inherently bad, but the problem is that Google Photos does not warn people that anybody with this link will be able to view the images. The intended recipient of the link also doesn’t know that anybody can view it. They assume it’s a private share for their eyes only, and don’t think twice about censoring the link if they forward the conversation to somebody else.

And by default, these links stick around forever until you explicitly go and delete the share.

While for photographers it might cause for a few embarrassing moments sending what we think is a private link to a client, depending on what those images contain, potentially exposing private client images to the world might be illegal.

So, photographers, if you really want to share private images with your clients, or even your friends and colleagues, don’t use Google Photos.

You can read more about the problem over on Robert’s Medium post.

Quoted excerpt used with permission.

About John Aldred

John Aldred is based in Scotland and photographs animals in the studio and people in the wild.

You can find out more about John on his website and follow his adventures on YouTube and Facebook.

« Here are this year’s best Amazon Prime deals for photographers and filmmakers

This is how food and drink commercials can fool you with their trickery »

Dušan DuPe Pethö

Why?
Derek A. Khine

That string of letters and numbers at the end of the URL, is a share key. Anyone has access to the URL will have access to the photo, which is a fact already stated on Google Photos website and app. If you copy and paste the entire URL to another person it will be shared. It works the same when you copy and paste the image to another person, it will be made available to that person. Besides, Facebook and every other site hosts everyone’s content on their CDN such as fbcdn.net unencrypted. Stop trying to make a big deal out of nothing.
Adrian J Nyaoi

Why the hooohaaa? It has alwsys been like that. People who use it already know.
Stefan Florin

It is ridiculous you guys just made an article on it. It is obvious from the start when you share the link.
- NB
  
  Yes it’s obvious when you share a link. The article is not about that though. When you share with a specific Google account (not create a link, not by email), it still creates a public link anyone can access, without mentioning it anywhere. You would think it will work like Google Drive, only the chosen Google account can access it, but it doesn’t, and doesn’t mention it.
Christopher Bement

It’s always worked as ‘anyone with the link cank view’. So stop sharing your dick pics with less than trustworthy people.
Julia Clark

So does this mean you’re in for Storming Area 51? https://media2.giphy.com/media/VvFa13MF2ZrZS/giphy.gif
Kevin Doebler

Hey John, this is kind of lazy. I saw a very similar article on Medium and the author made the same assumption/mistake (as pointed out in the comments section of both articles.)

I’m glad readers are correcting the authors who, seemingly, do very little research.

This really comes off as click bait.

Please don’t pass of your user error as a possible software bug. It’s working as expected.
- Kaouthia
  
  Ok, then if this is working as intended, why do Google Drive and YouTube not work the same way when you share something with a specific Google account?
  
  What user error?
  - Bob Bigellow
    
    Google Drive and YouTube are different services.
    
    All sharing options in Google Photos has always been the equivalent of sharing an attachment in an email, but instead of the attachment needing to be physically present in the email, the link is. Therefore, just as anyone with a copy of the email can read the contents of said email, anyone with a copy of the link can also access the photo.
    
    Google Drive and YouTube just happen to have even deeper levels of private sharing than this.
  - Kevin Doebler
    
    Why are you under the impression that creating a public shareable link is just for one specific account?
    
    My guess is at some point this was poorly worded in the Photos UI.
    
    But IMO, it’s very clear when you generate a shareable link, you can send that link to anyone you want. (Which, by design, is preferred)
    
    You don’t have to generate a new link for each person.
    
    Otherwise, you could only share with Google people (and your iphone friends who don’t have gmail accounts are locked out)
    - NB
      
      Yes it’s very clear when you share a link. The article is not about that though. When you share with a specific Google account (not create a link, not by email), it still creates a public link anyone can access, without mentioning it anywhere. You would think it will work like Google Drive, only the chosen Google account can access it, but it doesn’t, and doesn’t mention it.
Tex

This is how share by URL has worked forever. You’re an idiot.
- Jake Sutter
  
  I thought the same thing, but no matter how you share in Photos (link, directly in Photos, etc), it supplies a link that is accessible by anyone with the link.
  - raazman
    
    Not sure what’s the issue with that.
  - Ракс Тэдди
    
    Youre not understanding what people are telling you. Youre selecting share by link. Dont do that if youre trying to share it only to specific accounts. Look at the options again. Disable the link and start typing names of specific people in your address book or exact email addresses. It has been this way from the near beginning. A decade if not more..
    - MarioMan
      
      By sharing via email, the link associated with the “View photo” button will still open while logged out.
      - Ракс Тэдди
        
        The only thing youre sharing by email is the link. By the means of an email. It does not mean only those addresses get to open it. It never was.
      - NB
        
        You are correct, but the problem is that when sharing with a specific Google account (not with “create a link”, and not by email), a public album gets created. It doesn’t inform you about that, and you would think if you shared to a specific Google account, only that Google account can access it, but anyone can.
    - Jake Sutter
      
      Try it on your own and find out. The link is publicly accessible no matter how you share it in Photos. The link isn’t guessable, but it can still be accessed by anyone with the link.
      - Ракс Тэдди
        
        “The link isn’t guessable, but it can still be accessed by anyone with the link.”
        
        That’s precisely the intention. This is a use case scenario where the owner either doesn’t wish yo bother with individual user authorization, or its not practical – such as giving it out to a general mass of people.
        
        Instead of having to add each additional friend of a friend, the link can simply be shared by those people down the line. This is an extremely common use case scenarios and the functionality was created to accommodate it.
        
        The list of emails youre referring to is merely who you intend yo send it to from the initial release. Not – only these people can use it. For that type of share no link would be needed. As it would require the allowed people to be logged in to validate their identity.
      - Jake Sutter
        
        The point is that you do not get a private account based sharing solution in Google Photos. Like you have with Youtube or Google Drive. Whether or not it has been like that since the beginning is irrelevant.
      - Ракс Тэдди
        
        the point that you continue to be missing is that the article is wrong. google is not making your private photos public. its giving you a private key that is up to you to keep safe. its like saying “your lock manufacturer is making your private house public, because it gives you a key and you give it to others who can copy it.”
        
        current functionality was and is an intended design. if you want a feature that’s different from it, that’s not a flaw. that’s a new feature wish list. submit a feature request.
Rex

This is how share by URL works. You’re an idiot.
- Jerky McJerkface
  
  I was about to say the same thing.
- Phil D
  
  No it’s not Share by URL, ie “Anyone with the link can view”. He’s sharing to a specific user, only that user should be able to view that photo. It should require authentication/authorization.
  - Tom Raines
    
    No, it shouldn’t. That’s what sharing by link is for. You don’t want it shareable? Share it literally any other way.
    - Phil D
      
      Again it’s not sharing by link, at least not explicitly. You’re confusing it with the “Create shareable link” feature.
  - Jose Delacruz
    
    I see your point but you can share an album with others and also simply share by URL which literally anyone with the link can view. These are two completely different things.
    - NB
      
      The point is that you can’t. You can’t “share an album with others” and make it only accessible to them. Even when you do that, and don’t check the “create a link” option, it still creates a public link. You correctly say they are completely different things, and yet they work exactly the same without letting you know – a public album gets created, with a public link, even when you don’t want to create a link.
edlih

Not news. It’s just a link. Always been a link. It’s like sharing a YouTube video. It’s only private in that it won’t show up in searches.
- Max Ehrlich
  
  Both youtube and google drive have private options which are only visible by the google accounts you choose
  
  https://support.google.com/youtube/answer/157177?co=GENIE.Platform%3DDesktop&hl=en
  
  https://support.google.com/drive/answer/7166529?co=GENIE.Platform%3DDesktop&hl=en
  - Jake Sutter
    
    So does Google Photos. When you share from your phone (not sure if it’s the same with web photos) it gives you an option to share it directly to their Photos app with NO LINK (privately).
    - Max Ehrlich
      
      It does not, please repeat the following procedure
      
      1. From the google photos app, share a photo choosing the persons name, ensuring that “google photos’ is below their name (e.g. not using email and not using link sharing)
      2. Navigate to the google photos website and visit the “sharing” tab from the menu on the left hand side
      3. You will see that photo you just shared in a shared album, click on the album then copy the URL into an incognito tab
      4. even though you are not logged in (incognito mode) you can see the photo that was shared to specific person, through the app, using google photos mode only, as you describe
      
      I don’t blame you for being confused about this, you and a lot of other commentors are assuming that the author is an idiot because it is ridiculous that a private share to a specific person would result in a publicly accessible album. The fact that you are confused about the result of this procedure is exactly why it is a problem.
      - Jake Sutter
        
        Got it. I see what you are saying.
      - Merrill Sampson
        
        Tried this. Following your instructions to the letter. The photo IS private and requires logging into an account with access to continue. If you log into another account that it wasn’t shared to you will get a Google 404 Page Not Found error.
      - Max Ehrlich
        
        With all due respect I don’t buy it. Post the link here and I’ll try to access it
      - Merrill Sampson
        
        Go nuts. https://photos.google.com/photo/AF1QipODxLoj_fqUuBix4VvOd5cAc3tZ0aj74_0M61Nu
      - Max Ehrlich
        
        Sorry I should have been clearer, I need some way to verify that you aren’t just sending me a random link which, of course, will 404. We’ve had 4-5 people follow that procedure separately and they all verified the link is publicly accessible so you would be the only one who somehow made a private link. We’ve also had several people come forward who are some kind of “power users” of google photos who have confirmed that this is always how it’s worked and they’re fine with it. So forgive me if I’m suspicious that you’re trolling. If you can come up with a protocol whereby I can be certain you’ve followed the instructions and shared a link that is valid for you then I’m happy to repeat this experiment
- Morten Ulv
  
  Well, Google Photos links are also ~impossible to guess. Youtube links aren’t.
  - mmond4
    
    right, hasn’t it been this way forever ? the URL is basically like an unguessable password. Here’s an article from 2015 that talks about this: https://www.theverge.com/2015/6/23/8830977/google-photos-security-public-url-privacy-protected
Stephen Holst

The funny part is that I always test my links by pasting them in an Incognito window before sharing them. I have the fear that I’ll send a link to the wrong album. I didn’t realize others thought this was a security flaw.
- Ракс Тэдди
  
  Its not a security flaw. This is the intended design. To share it with specific addresses the owner adds them to the privacy setting. Author is ignorant.
  - Jose Delacruz
    
    Indeed
  - NB
    
    It doesn’t work though. When you share with specific Google accounts they still become public, even if you don’t select “create a link”. That’s the whole point of the article.
- Youkhan
  
  I do the same 😆
Bret Harrell

This article is an embarrassment!!! Private Google link sharing has always worked this way. When you privately share a link to photos or drive items, anyone with the link can view – but people can’t find the link with a Google search. If you want more security, you can share it with a specific Google account, and then they’ll have to log in in order to view it. This is not a news story. You are incorrect when you say this is an oversight by Google. You need to submit a retraction. Please refrain from writing stories on topics you don’t understand!!
- Max Ehrlich
  
  You’re confused, please see my other comment. You and many other people are confusing this (understandably) with the “link sharing” feature, this is actually what happens when you choose to share with a specific google account. E.g. even though you selected to share with a specific person the photos are made public. Google drive on the other hand does check that the viewer has rights (not a public share).
- Kaouthia
  
  That’s the point, Bret, there is no secure sharing on Google Photos. When you share it with a google account, anybody with the link can see it, not just the google account you shared it with.
  
  Google drive, yes, it’s only accessible with the specific logged in Google account. YouTube, too, with Private videos. Google Photos, no. Even if you share it with a specific account, anybody can access it.
- NB
  
  If you want more security, you can share it with a specific Google account, and then they’ll have to log in in order to view it.
  
  This is not true, and that is the point of the article. When you share with a specific Google account, the photos are made public and the Google user receives the public link to them. They don’t have to be logged in to see them, nor does anyone else.
  I think you should take back that “refrain from writing on topics you don’t understand” comment.
Some Guy

If you didn’t realize this then you should probably just stay off the internet.
Max Ehrlich

This is a legitimate problem and I’m stunned at the amount of people saying defending google saying that’s how it works, authors are idiots etc. This is objectively not the right way to handle sharing. I love google photos, it’s OK to like a product and still recognize that it has flaws.

A common thing people are saying is that “that’s how link sharing works”. You guys are confusing this with the “link sharing” function. this is *not* the link sharing function, this is what happens when you select to share wit ha *specific google account*.

Please try this for yourself

1. Select a photos
2. Share it and pick the *Google Photos* account for a person, *not* share link and *not* share to email address, it should specifically be the *google photos* account.
3. After sharing, you can either find the shared album in your albums or click the “view” botton on the bottom left popup to navigate to the album
4. Copy the URL from the album into an incognito window, you will be able to view the album even though you had selected to share with *only a specific Google account*

If I share with a google account, google should absolutely be checking that the account viewing the album is the one that I shared with. That is a no brainer, and it’s not really defensible. If it cant work that way, then it should be up front that you are only choosing to send a *public link* to the google account that you are selecting.
Doigt DuPeuple

Huh…. It’s a link…. So..anyone who has the link can see the pics.. it’snot a privately shared page… It’s a link you share privately, if someone shares this link with someone else, they will see the pics…
- NB
  
  This article is not about sharing by link. It’s about sharing with a specific Google account. Which results in a public link being created and accessible by anyone, not just the account you shared with. When you do the same in Google Drive for example, only the Google account you shared with can access the photos. In Google Photos you do the same thing (share with a specific Google account), and the result is totally different – the photos become public.
Paul

This is useful information for people who didn’t know it. However, the headline is pure clickbait.
The Real Saxon

This is only a problem if your are a total retard. In which case, everything on the internet is dangerous
Merrill Sampson

Sorry, but I just tested this out with a friend. If you’re sharing it privately, no link is created or visible ANYWHERE. What you are doing is sharing by link, which, of course, creates a link. Sorry you’re too dumb to internet.
- Max Ehrlich
  
  Any time you share a photo it creates a “shared album” which you can find under the ” shared” tab on the website (it’s a bit hidden) the URL for that is public.
Ronnie

This article is more embarrassing than the original. You had the benefit of the other comments pointing out that this is literally how the internet works…

Next you’ll be telling me password reset links are insecure because if I forward one anyone can click it
Niels Swimberghe

Same thing happens when you send media though Google Hangouts
Henden G.

Well, yeah. It’s been like that since forever! You can share directly to other people or you can get a URL (with a disclaimer that anyone who has the link can access). It’s like getting surprised that your public YouTube video is viewable by the public. It’s only a surprise if you don’t read what you click into.
S. David VdR

I’m glad some of the other comments say the same thing. You clearly make a link to share. What do you think happens when someone visits the link? Some people have no common sense.
- NB
  
  This article is not about sharing by link. It’s about sharing with a specific Google account. Which results in a public link being created and accessible by anyone, not just the account you shared with. When you do the same in Google Drive for example, only the Google account you shared with can access the photos. In Google Photos you do the same thing (share with a specific Google account), and the result is totally different – the photos become public..
TomTom900913

This is priceless 😂😂😂 please write more of this garbage so I can then read all of the comments about how wrong you actually are 😅😂🤣 LOL
- NB
  
  How is he wrong (serious question)? Everything in the article is true.
n4n

Hi John, this is not something new. Since day one there was no private sharing (account based) on Google Photos, only public URL sharing. This is actually the reason I don’t use it at all.
vladhed

Click bait. It’s “security by obfuscation”, which most times is good enough. Google quite clearly says anyone with this link can see the photo. This should not come as a surprise to anyone.

Don’t like it? Use some other platform.
- NB
  
  No they don’t say it. When you share with a specific Google account it doesn’t mention any links being created, yet the photos become public.
n4n

While I still think the title is a bit of too dramatic, I tend to agree on the message: Google should clearly AND consitenly differentiate between URL sharing and account based sharing. This is not the case now because when you click “Share” the UI presents information in such a way that implies a difference between URL sharing and account sharing (there are two types of contants: contacts with Google Photos accounts AND non-Google Photos contacts). Later on, when you click on “Options” you realize that is not the case (because disabling “[1] Anyone with the link can see these photos and [2] the people who’ve been invited or have joined” would automatically disable the sharing completely — which breaks a bit the logic of the initial UI and the phrasing of the mentioned option: [1] and [2]).
On the other hand, if you cut off the key part of the URL and give the remaining part to other people, it works as expected (only authenticated Google accounts may view the actual content behind the URL).
Lion5

What a sad era when this type of false alarmist drivel passes for journalism. The Net has enabled too many people to become “journalists” without any credentials, research, or editor.
Gary V

Sort of a moot point since Google makes it clear that you’re posting a link that can be viewed by anyone who has the link.
- NB
  
  Makes it clear when you share a link. The article is not about that though. When you share with a specific Google account (not create a link, not by email), it still creates a public link anyone can access, without mentioning it anywhere. You would think it will work like Google Drive, only the chosen Google account can access it, but it doesn’t, and doesn’t mention it.
angryoaf

Sorry dudes, I’m well aware how it works.
I’m actually confused by your confusion.
Phil D

I thought the workaround would be to not send an email and share to their Google Photos account only. But nope, same problem.
chowner

This is misleading at best. Really this is just trashy clickbait
Jay

Do they not know or they just don’t read the fine print?
Jay

They don’t know or they just do not read the fine print?
Michael Tan

There are 2 ways to share.

1. Share to another Google Photos account. No other Google account can access except those explicitly shared with.

2. Share by url method. Everyone can access. This is design by necessity.

This is the way it’s supposed to work. Entire article and the guy who reported this are just not bright enough to know that this is default action, obvious and by design.
Michael Tan

I have verified:
Michael Tan

I’ve verified and recreated all the steps:

1) SHARE by URL. Result: anybody can access – expected behavior.
Steps:
1) Select photo
2) press share on top right
3) Select CREATE LINK
4) Open link in incognito Window
5) It opens

This is expected behavior. When you CREATE LINK this way, it should create a public share, and anyone with URL can access it.

2) SHARE by choosing `other’ Google photos users, but NOT sharing by URL. Result: anybody can access – UNEXPECTED BEHAVIOR
Steps:
1) Select photo
2) press share on top right
3) Select (another name)/Google Photos
4) Go to the (another name) account and receive the email
5) Press on the ‘shared photo with you’ link
6) Photo opens in another window, link appears
7) Copy link
8) Open incognito browser window with no login
9) Paste link in the incognito window
10) Photo can be seen.

This is unexpected behavior. One would expect the url to be inaccessible if the account were not logged into the (another name) account. This means that all private shares are also public shares, and there’s no difference between public shared url and photos shared with another google photos account.
Jose Delacruz

You are right but wrong. I have always known that AnYone with the link can view the item. Not sure what the concern is.
MASATO “syntaxsystem” Null

Yes, Google Photos UI uses the word “Link shared” and “You & friend” separately under sharing.
It indicates apparently that any other people cannot access the album when it says “You & friend” , but the situation is different as per this article.
This isn’t a bug but Google should modify the sentence more easy-to-follow.
The best practice is to adopt true restrictive sharing like Google Drive.
carl janes

I think this is a serious online security issue.
Tim Bambam

A this legal for Google to do? I would think a Class Action Lawsuit might be needed.
Stephen Adams (Galegalamros)

This is NOT Share by URL! Google Hangouts works the exact same way as Google Photos. You and another Google friend have a hangout conversation together. Sharing a picture with that friend in Hangouts creates a publicly view-able link. One would think that b/c it’s another Google user in your hangout conversation one would need to authenticate if you are anyone BUT the members of that conversation. I agree though with the author and @disqus_zFFR4MxfUQ:disqus . If sharing to another Google user it should grant that user perms to view/edit depending on how the owner has it setup. Now if sharing to a non-Google user then sharing by URL would need to happen b/c it’s not the same permissions eco-system, so YES, that URL is readable by anyone unless you can share with a password for the specific link(whether it’s linked to a individual picture or Album(but I don’t think sharing with a password is supported in either Photos or Hangouts)).
Now, Google Drive’s sharing system is properly done. Specific shares to specific google accounts or by URL for non-google accounts. But the Hangouts and Photos systems do generate a long URL as an effort to make it difficult for web scrappers to find it. But it is still find-able if someone really wanted to script a web search. Which someone with good python/html skills could do. And I think they could do with some moderate ease after some research of pattern recognition.
At the minimum, since the interface doesn’t tell the user that what they share in Google photos to another google friend or in Hangouts to other Google friends is publicly accessible (not publicly puiblished, but still accessible) Google should at least be upfront about how the sharing system works for each of their platforms.