🪐✨ ꉣꑀꁲꏳꑀꊯꌈ꒒ ✨🪐Mar 8

This week I made some tools that will pull all of the images from a user on smugmug, a platform for professional photographers to distribute work. The majority of users on the platform do not secure their galleries and think that simply hiding them is enough.

ALSO, most users have an RSS feed for recent posts that non-technical users leave on by default, leaking every photo they upload.

Users intimate family photos, weddings, and sometimes things such as boudoir shoots are exposed. Combine this with osint tools, this could be a pretty sensitive issue.

Show thread🪐✨ ꉣꑀꁲꏳꑀꊯꌈ꒒ ✨🪐
Let's update this. It doesn't matter if users hide albums or make them private behind a password. The api leaks ALL updates in recent photos. A photographer using smugmug is exposing their clients' photos to the web full stop. Post Partum, Boudoir, Family wakes...everything. Further still, the RSS feed that most users leave on by default allows for a stream of recent photos that is viewable by an RSS reader. No scripting required. No api key needed. If your photographer uses smugmug, dont use that photographer.
Mar 26 at 5:51amWeb
Show thread🪐✨ ꉣꑀꁲꏳꑀꊯꌈ꒒ ✨🪐3d ago
The primary issue is that the architecture is just all wrong to defend this content. Images are uploaded directly into a bucket and then the albums are linked to the relevant images. So if you can dump their uploads (such as in recent submissions) you bypass any kind of album level protections. These aren't all models building a portfolio. They're husbands and wives; mothers and fathers. Children. Deceased relatives.