On a bit of a RSS trip here aren’t we? 😀
Anyway, this is something I came across a few weeks back and it’s been bugging me ever since.
Since everyone likes a stroke (and I’m no exception) – I have subscribed to the feed for comments on my photos at Flickr. Now, the RSS feed for the recent comments takes the following format:
http://api.flickr.com/services/feeds/activity.gne?user_id=<Your Flickr ID>&format=rss_200
The Flickr ID in the above link is a 12-character alpha-numeric string that every Flickr User gets when they register for the first time.
Unfortunately, there is no authentication on this particular RSS feed – which means that if you know a user’s Flickr ID, you can easily see all the comments that any one makes on that individual’s photos.
The Flickr ID is incredibly easy to find as well – if you haven’t picked a “easy name” for your Flickr photostream – it directly appears on your photostream. Even otherwise, the Flickr API provides this information readily and there are Greasemonkey scripts out there that make this a single right-click.
So what’s the problem you ask? Anyone can see those comments anyway – sheesh! Well yes, anyone can see the comments on your public photos, but by reading your recent comments feed they can see comments on any private photos as well, i.e., those photos which you have marked as family/friends only.
Further more, the recent comments feed provides the URL for the medium size of your private photos. Downloading the original resolution images is then trivial – merely requiring replacement of a “_m” in the URL with a “_o”.
The creep factor just increased substantially didn’t it?
Now by default, using the RSS format means that no authentication mechanims are supported directly. Basic authentication can be used (which would take the format http://username : email@example.com/services/feeds/activity.gne?user_id=<Your Flickr ID>&format=rss_200), but this isn’t directly supported by the protocol.
On the other hand, the ATOM format does support authentication (see the RFC) and Flickr infact uses ATOM for all photostream RSS feeds. So why not switch the private feeds to ATOM as well?
For the oldest reason in software development: security is just not sexy – so something like this is always going to fall to the bottom of the pile.
Right upto the moment when some-one abuses this loop-hole that is. And the Flickr forums go up in flames (as they have tended to do fairly regularly these days).
Here’s hoping this gets patched soon – oh and could I get a pony with that?
Update: I spoke to soon. Flickr does in fact protect your private photos. See this follow-up post.