No I am not. It’s a fact that individual photos are able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, would be able to determine and view anyone’s images on the system without ever needing to log in to babysdays.
This is a short simple post. Apparently I am making this all up (so the parent that noticed it and the email Sys IQ sent him doesn’t exist then?) and there is no problem with the photos. I will be posting in more detail tomorrow night but for now, do this if you are a Baby’s Days user and you think I’m on a Witch Hunt you can try the following and see for yourself.
Go to a photo in your diary section.
Right click your mouse button.
You will see something that says something like, “copy image URL”. Copy the URL into Notepad or Word or similar.
NB. THIS WILL NOT WORK IF YOU USE THE URL FROM THE ADDRESS BAR AT THE TOP, IT HAS TO BE THE URL THAT DIRECTLY LINKS TO THE PHOTO WHICH YOU CAN ONLY SEE BY RIGHT CLICKING YOUR MOUSE.
Log out of Baby’s Days.
Paste the URL back into your browser (ie. Firefox or Chrome) and it will load the photo. You will be able to see the photo even though you are not logged into baby’s days.
With some manipulation of the URL some people will be able to navigate to other children’s photos. (The following was added at 23.41 on the 18th Feb after a few messages from people still confused) The parent who informed me of this is using a Baby’s Days system that has the directory listing feature of Apache turned on. This enables people to navigate through the directory structure of all images if they have one URL. Hopefully this makes more sense?
Parents have the URL for their own children’s photos so they already know the URL for their own child’s photo. Even if the directory feature is turned off, a parent can still gain access; they would need to alter the URL to access a different child’s photo. That’s why a parent made this discovery, not just a random person (Thankfully!) If you wanted you could write a computer programme to generate all the possible URL combinations and you would have access to every photo. It’s not a simple as changing a digit there and here, the URL includes a JPG name that is random and also possibly a time and date stamp. It wouldn’t be very easy to guess it, but it is possible. Each individual photo should really be password protected.
If you log in as a parent and look for yourself as Mark Kahl has advised customers (to reassure you all it’s nice and safe), of course you will only be able to access your own child’s photos. As I said, it’s a code problem, not a simple navigation front end error. It is to do with the authentication of the code that has been used and the way in which the photos are named and dated as they are uploaded to the server.
The individual URLS for each child’s photo can, with some skill, not just by anyone, be second guessed and certainly can be easily guessed by a programme made for this purpose, it’s called image harvesting. And because you don’t need to log in to see links to photos anyone can access anyone else’s photos.
Hope that clears it up.
Sorry I had to post this explicit set of instructions, which I omitted form the first post for security reasons. I hope it doesn’t effect anyone’s business, but I will not be called a liar by Mark Kahl and this is the only way to prove that what I am saying is true unfortunately.
Edited at 2pm on Thursday 19th Feb. I downloaded a demo, I uploaded a photo, here is a link to the photo.
You can see my photo even though you are not logged into my demo site. Individual photos do not have a password, this is what I’m tryng to explain. No doubt they are going to try and say “it’s different security bexause it’s only the demo site”, but that’s not true.