Am I making it up?

No I am not.  It’s a fact that individual photos are able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, would be able to determine and view anyone’s images on the system without ever needing to log in to babysdays.

This is a short simple post.  Apparently I am making this all up (so the parent that noticed it and the email Sys IQ sent him doesn’t exist then?) and there is no problem with the photos.  I will be posting in more detail tomorrow night but for now, do this if you are a Baby’s Days user and you think I’m on a Witch Hunt you can try the following and see for yourself.

Go to a photo in your diary section.

Right click your mouse button.

You will see something that says something like, “copy image URL”.  Copy the URL into Notepad or Word or similar.


Log out of Baby’s Days.

Paste the URL back into your browser (ie. Firefox or Chrome) and it will load the photo.  You will be able to see the photo even though you are not logged into baby’s days.

With some manipulation of the URL some people will be able to navigate to other children’s photos.  (The following was added at 23.41 on the 18th Feb after a few messages from people still confused)  The parent who informed me of this is using a Baby’s Days system that has the directory listing feature of Apache turned on.  This enables people to navigate through the directory structure of all images if they have one URL.  Hopefully this makes more sense?

Parents have the URL for their own children’s photos so they already know the URL for their own child’s photo.  Even if the directory feature is turned off, a parent can still gain access; they would need to alter the URL to access a different child’s photo.  That’s why a parent made this discovery, not just a random person (Thankfully!)  If you wanted you could write a computer programme to generate all the possible URL combinations and you would have access to every photo.  It’s not a simple as changing a digit there and here, the URL includes a JPG name that is random and also possibly a time and date stamp.  It wouldn’t be very easy to guess it, but it is possible.  Each individual photo should really be password protected.

If you log in as a parent and look for yourself as Mark Kahl has advised customers (to reassure you all it’s nice and safe), of course you will only be able to access your own child’s photos.  As I said, it’s a code problem, not a simple navigation front end error.  It is to do with the authentication of the code that has been used and the way in which the photos are named and dated as they are uploaded to the server.

The individual URLS for each child’s photo can, with some skill, not just by anyone, be second guessed and certainly can be easily guessed by a programme made for this purpose, it’s called image harvesting.  And because you don’t need to log in to see links to photos anyone can access anyone else’s photos.

Hope that clears it up.

Sorry I had to post this explicit set of instructions, which I omitted form the first post for security reasons.  I hope it doesn’t effect anyone’s business, but I will not be called a liar by Mark Kahl and this is the only way to prove that what I am saying is true unfortunately.

Edited at 2pm on Thursday 19th Feb.  I downloaded a demo, I uploaded a photo, here is a link to the photo.

You can see my photo even though you are not logged into my demo site.  Individual photos do not have a password, this is what I’m tryng to explain.  No doubt they are going to try and say “it’s different security bexause it’s only the demo site”, but that’s not true.

50 thoughts on “Am I making it up?”

  1. Hayley fab news that the photograph loophole is now resolved, I’m interested did BD ever admit it existed? Just wondering as they outright denied it on their page and instead accused you of being a fruit loop?
    As for some of the ridiculous comments above, it’s clear they are coming from BD owners or their affiliates, I recall the same veiled threats and ludicrous attempts to discredit happening several times to people who dared to try get BD to provide a reasonable amount of customer service / transparency. Says an awful lot about them as individuals and as a company.
    Glad I don’t use them anymore!
    Again well done you on getting this sorted :-)

    1. As far as I know they are completely denying it but lots of people were able to do it from their systems and the loophole is still exposed on the demo sites :)

  2. I used Hayley’s instructions last night and was able to view photos using the link when I had logged out of my Babysdays account. However, tried this again a short time ago and it doesn’t work now. I’m assuming this security issue has been fixed sometime today.

  3. Hi hayley
    don’t publish this to your main blog. you may already be aware but I think I know who published the “disgusting” comment. He put something similar on the support group last night talking about reporting you as an accessory for a crime involving children & photos. Eh?!
    The man writes the most pretencious BS I have ever read.
    I have a screenshot if you ever need it.
    I’m sorry that your having to deal with this & deal with all these bullies. But your doing great!

    (this post was edited by Hayley to take out the persons name, thanks for getting in touch Blog Fan. Ps not sure if you mean don’t publish this at all, or dont make a separate post about it, but you can email me via the contact button if you want me to delete this, or when you write a comment put in your email address so I can email you back, they don’t get published)

  4. Hayley, I am curious. Why were you trying to find out from Bristol City Council, how many childminders in Bristol care for more than 6 children, and of those how many had planning permission? Sounds like you were on another witch hunt and trying to get other childminders closed down. Blog readers be careful as you could be next on her list

    1. Hello again Anon, I can see you’re the same Anon that posted I was journalist as you provided your email address. Why would I try and get childminders closed down? That makes no sense? Do you really honestly believe I am just a terrible person on some sort of witch hunt? Have you actually read this blog and what happened to me? Baby’s Days refused to update my system. That’s how all this started, read here for more info: I didn’t make them do this to my system. The blog documents real things that they have done to me or other people or ways in which the system isn’t 100% secure. None of these things would be able to be published if they weren’t true or if they didn’t happen. It’s not a witch hunt, it’s a factual documentation.

      To answer your question (which has been brought up before and isn’t something I’m trying to hide) I was asking this question, via a Freedom of Information request because I had an issue with my neighbours and local council in that even though I was only minding 6 children form my home, they were forcing me to seek planning permission for this. I was trying to prove by requesting the information that no other childminders in Bristol have this type of planning permission and as such I was being treated differently.

      As I am a person that sticks up for my beliefs, not the type of person to nod smile and scurry away, yes this happens to me. If you think I’m making this up, luckily I posted in a facebook group asking for any other childminders views if they had experienced similar. Here is an example of such a post.

      Hope this clear it up for you and you might start to realise I am not on a witch hunt, I’m not a terrible person out to cause trouble, I have not said anything derogatory, I have said the system is actually really good, I’ve not encouraged anyone to leave, there are loads of blog posts with screen shots to support this. Just back up and maybe be careful with putting any more photos on until this loophole is fixed. That’s all I’ve ever said. I don’t see how that is a witch hunt?

      1. I did find a newspaper article after I posted which detailed how you might be forced to close down as you were caring for 15 children. So wondered if this was the reason behind seeking the information.

        The reason it might look like a witch hunt is that you seem to be obsessive over picking at everything and trying to find faults. I’m sure if you picked at most companies there would be faults as nobody is perfect. I just can’t understand why you are so fixated on this. I have blocked you and one of your fans on facebook as I am so sick of seeing the posts. I’m not the only one that feels this way either.

        What are you trying to gain from this? That is what I would like to know

        1. My data and to ensure this doesn’t happen to anyone else. Edited to add: Also to prove what I am saying is truth. There is nothing that motivates people more than being called a liar, nut job, evil, insane, whack job etc. But yes I take your point it might seem like I’m going on a bit. But wouldn’t you if you were me and you paid a company hundreds of pounds over the years and had nothing to show for it? I post 3/4 times a week at the most.

        2. If you have blocked Hayley because you are sick of seeing posts, why are you on here! I for one celebrate Hayley for standing by her beliefs.

          1. I am simply trying to understand what she would like to achieve. I am not attacking her, i am just asking questions to find out more. Exactly what Hayley has been doing with all of this

  5. I think everyone needs to remember that you cannot believe everything you read on the Internet. Just because Hayley has a grudge with BD, and has written things about them. Does not make them instantly true. Some people are happy to take every word that Hayley says as gospel without looking into the facts themselves. Please try looking at these things yourselves before making your mind up. Hayley used to be a journalist and we all know how they are so good at manipulating the things that they write. Hayley stated that she was doing this as she wanted her 4 years of work back. They have offered her this and she turned it down. So now it’s just a childish witch hunt.

    1. Thanks Anon, first of all, what? I used to be a journalist? No I didn’t! Where did you get that?

      If you want to look into this for yourself then follow the instructions in the latest blog post and you will see for yourself that individual photos CAN be viewed without you needing to put in a username and password, as my blog correctly states. This shouldn’t happen. ALL photos should require a username and password.

      They did offer to give me back my data. In return for getting my data back, they wanted to remove by blog, remove all my comments from every group on facebook where I had said anything slightly negative about their customer service and they also wouldn’t commit to providing my system with updates, which was the whole reason I started the blog in the first place.

      So I would have (possibly) had my data back (obviously I couldn’t be sure they would give it back and for obvious reasons I don’t trust them) but would have back in the same position a month down the line if they refused to update my system, plus my blog and all the followers would be gone. Plus they wouldn’t commit to removing the claims on their facebook page and support group claiming I was a lair, evil and an unfit child minder. That didn’t seem very fair to me. This is all documented on my blog and I have never hidden this from anyone.

      1. I got it directly from your Twitter account. A tweet written by yourself. So are you now saying that you did not write it? Or have you been giving out false information about yourself? I would hate to think that you could possibly say anything that might be untrue?! I would post a screen shot but it won’t allow me to.

        So originally you said you just wanted your work back, and now you have refused it. So what is your goal now?

        Do you do this to every company that you have a fall out with? There are thousands of happy customers but you are determined to try to ruin it for everyone. I’m presuming you would love to get babysdays shut down. Which would upset many happy customers. Just because you have had a bad experience with them.

        1. Hi Anon, where on my twitter account? I have never been a journalist and I’m certain none of tweets I’ve made say that, I will screen shot all the tweets I made (was it a tweet or a reply to someone?) and upload here in the interest of transparency, you could say something like, it’s the 12th tweet or something like that and I will explain whatever it is you think it says. I used to work in law and copywriting. Could I have said something like my background is in journalism? Here is the link to all my tweets:

          My goal now is to ensure this doesn’t happen to anyone else, that current customers use the system with their eyes wide open and they back up their data. Many didn’t even know they had to back up, which is what I thought too. I would also still like my data back.

          I don’t understand the last part of your comment. How am I ruining it for everyone, if you don’t like what I have to say and think your data is fine then just ignore me? I do not want to get Baby’s Days shut down, if you read the blog you would know that. I have said many times the things I post are balanced against the effect it may have on the company as I don’t want them to sink and for hundreds of childminders to potentially lose their data. That wouldn’t make sense given that this blog is about how to keep your data, would it?

          Have you never left a bad review about a company?

          1. Of course I have given bad reviews where necessary. I haven’t then started a blog picking at everything I could possibly find. That’s the difference between leaving a bad review and what you are doing.

            It’s good that you are giving balanced information and not trying to shut them down. I wasn’t sure whether that was your intention or not.

          2. I think the difference is if you leave a bad review about someone they don’t say, “she is lying, don’t believe her, everything she says is lies, we are going to sue her” etc. Maybe we both need our heads banging together eh? :)

        2. Its a pity more people don’t speak up when they have had bad dealings with someone, this country might be a nicer place to live if people stuck up for themselves. As for the thousands of happy customers comment , how do you know how many customers he has and how many are happy, what a ridiculous statement to make.

          1. Most are too scared to even speak :( He does have a lot of happy customers though, which is fair enough, the system is good, so I can understand that :)

          2. It’s clear from how many people like the babysdays facebook page that there are thousands. And if they were not happy they would not be customers. So it isn’t a ridiculous statement to make at all :)

        3. Im going to dive in here and pull you up on the ‘you want to see bds shut down’ comment. May I just remind you there is no smoke without fire and lets face it, Hayley hasn’t bought their trademark from under them or anything horrid like that has she, funny how the MegaMinder issue has been swept under the carpet now, how many MegaMinder customers would have been upset if Mr Kahl had of succeeded in his mission to sabotage his biggest competitor??? Bit like the pan calling the kettle here me thinks!

          1. Well Anon, ‘It’s clear from how many people like the babysdays facebook page that there are thousands. And if they were not happy they would not be customers. So it isn’t a ridiculous statement to make at all :)’ like His lordship keeps on saying ‘don’t believe everything you read on the internet’. Id advise you read the blog from start to finish, it will help you build up a better picture and make more of an informed decision, and also help you to understand exactly why Hayley has written the blog and her reasons behind carrying it on. She isn’t on her own to have been treated so diabolically, and isn’t the only one to have had things done to their data.

      2. I have followed your instructions as above, and guess what… i couldn’t see the photo!!! I went to a photo, right clicked and copied URL, logged out of babysdays and even closed that screen, opened a new screen and put the URL in, the screen said no access and took me to the log in page

          1. Ive just clicked your link and that does work. But I would have thought that as its only the demo system for testing the product it won’t be the same as the full system? When I check my URL it says no access?

          2. It does work I promise you, I would never post anything on here unles I was 100% sure I was 100% correct because anything not true would cast doubt on everything. Anyway, maybe you did something slightly different?

            Go to Galleries>Photo Galleries>Click on the book icon to open the diary photos>select any photo. Right click any photo, and it will say Copy Image location. Once you have the image location paste it into your browser and you will see the photo. If you are doing this, it may mean it’s been fixed?

          3. Anon, a link that I could see yesterday, I now can not, so I think they have fixed it. No doubt they will deny that you could ever do it, but you could.

          4. I dont think it was a tweet as I didn’t tweet on that date, but I may have replied to someone else? I can’t see a way to view them, I’ll try later on. What does it actually say?

          5. Just double checked again and it definitely doesn’t work for me? I presume that image URL and image Location are the same thing as i don’t get copy image location as an option?

          6. I’m sure it’s been fixed because an image I could access yesterday, I now can’t. Good for customers, but makes me look like a crazy person :)

          7. The tweet says – @RainbowN1 – as a past journalist and childminder thought you might like my blog:

          8. Wow, I thought my twitter had been hacked or something! Ok, I know what hapepened. The person I’m talking to, RainbowN1, she used to be a journalist and is now a childminder. So I’m saying to her, “as a past journalist and (now) childminder, I thought you would like my blog”. Does that make sense? Sorry for the confusion.

          9. Hehe, yes that makes perfect sense thank you Hayley. Sorry for bringing it up but i just misunderstood and now i understand :)

    2. I think this is the most ironic comment I’ve ever read. You’ve made your mind up not to believe anything Hayley says (despite the evidence she has presented to support her claims) on the basis of a tweet that you misunderstood! I’m glad you had the good grace to apologise for your error, but perhaps you could now practice what you preach and look into the issues that Hayley has raised for yourself. Please do get back to us with your conclusions as I’m all for hearing both sides of the story and so far baby’s days don’t seem willing (or able) to provide anything other than empty words and threats rather than solid explanations.

      1. I never said that i didn’t believe anything that Hayley says. I was simply asking questions to find out more so i could understand. I misunderstood the tweet, and now it makes sense so i apologised. I have already looked into the photo issue as above, and it didn’t work for me, but i believe that this is because they have fixed the issue before i had a chance to test it that’s all. There is nothing wrong with asking questions to learn more about things, or questioning anything that you are unsure of.

        1. Oh come on. “Childish witch hunt” are hardly the words of someone with an open mind. Thankfully Hayley has responded honestly and with dignity as usual, and hopefully set the record straight. Which is more than can be said for Mark Kahl. Perhaps that should tell us something about who it is that’s hiding things from people.

  6. I can only assume Anon with your comment disgusting that you find it not an issue at all the Babysdays can deny this safeguarding issue and once again turn it around on Hayley. Great for you that you obviously don’t find this and the many other issues with Babysdays a cause for concern.

    It was actually a PARENT that found this security/ safeguarding issue with the photos NOT Hayley. Babysdays actually confirmed it was an issue, …yet once again they now deny it to their customers. Unbelievable

  7. I thank you for exposing this loophole, BD will now have to do something about it and hopefully before OUR images end up in the wrong hands. It’s a known fact that paedophiles etc are skilled at data manipulation and hacking to retrieve images so I for one am glad that this has been put out there sooner rather than later.
    To Disgusted above I would politely suggest your vitriol be directed towards the owners of BD who are currently denying there is an issue by trying to rubbish this blog therefore NOT supporting their own customers. I view this blog as helpful, I don’t view it as trouble causing. As a childcare professional you should have undertaken whistle blowing training and should be able to recognise this as a safeguarding issue.

    1. Hi Bad User, glad you have found it helpful. You’ll also need to raise a support ticket about this because they still believe there photos are safe unfortunately. Obviously to would be best practice for all photos to need a password to be able to view them :).

      Good Luck, let us know how you get on!

  8. Disgusting,

    You have now undermined your duties as a childminder to safeguard children by publicly exposing how to do this; purely for emotional reasons as you were branded a liar.

    Your blog started out with no emotion and with pure factual comments, it is clear now that you have become more frustrated and more angry at this company to the extent that your emotion is now blurring your professional judgement. Get out now whilst you still can.

    1. My emotion isn’t clouding my judgement at all, yes I have been called a liar, but this is nothing new from Kel Thomas and Mark Kahl. I posted the further information after serious thought and concluded it was in the best interests of safe guarding that this was exposed so it can be rectified. But thank you for confirming the flaw is there.

      Instead of contacted me and putting my safeguarding duties under the microscope have you contacted Mark Kahl as the director of Sys IQ Ltd and Baby’s Days to ask them why it’s possible to see images without having to log in? If more people complain about this they might be compelled to fix it. Thanks.

    2. Oh what a stupid comment, if Hayley knows about it, then others do. As for the blog starting out, my god!!! the girl is sticking up for herself, if your data was blocked by some arrogant YES ARROGENT individual on a whim, then im sure you wouldn’t roll over and take it, or perhaps you would, as it seems a lot of people this has happened to haven’t had the back bone to do anything about it. A safeguarding issue has been brought to light and you should be grateful for it, seeing as you are paying a lot of money for something that has blatant issues! SHOCKED by some peoples attitudes especially with data that isn’t theirs to put at risk.

    3. Eh?! So it’s Ok for babys day to have this security risk & hayley & the parent who discovered it are wrong to speak out?
      The parent made baby days aware & they did nothing. Is that acceptable? What do you think should have been done?

      I suggest you haven’t a clear understanding of the meaning of safeguarding.
      In fact maybe by standing by & allowing this security risk makes you an accessory!

      I am gobsmacked by the amount of apparently intelligent adults who have set up their own businesses but still cannot think for themselves & see how risky this is.
      Mark’s explanation & telling people to log on as a parent just proves what fools he takes his customers for. Hayley had no other choice.

      Hopefully now this will be fixed like it should have when the were first informed.

    4. I am very confused as to how Hayley has undermined her duties as a childminder to safeguard children? Surely what Hayley is doing is making other childminders/nurseries aware that their data may be compromised – she is helping us to safeguard our children by highlighting a flaw in the baby’s days system. If someone managed to get hold of photos off my Baby’s Days system then I assume I would be held accountable? I am making a VERY big assumption that Mark Kahl would perhaps not be wiling to shoulder any of the blame? It is probably written into his T&C that he has no responsibility whatsoever!!!
      I for one will not be renewing my subscription to Baby’s Days when it runs out, I absolutely love the system, and I have put up with the fact that Kel kicked me out of her precious support group for me daring to voice I thought there was a bug in the system (which there was!) and I have also ignored the sheer arrogance and utter annoyance of Mr Kahl – but now I know that the system has security flaws this is the final nail in the coffin for me!
      Thank you Hayley – you have my FULL support, please do not stop making Baby’s Days users aware!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>