Google Photo’s Sharing URL is More Secure than you Think

June 23, 2015 - Written By Alexander Maxham

Back at Google I/O last month, Google revamped their Photos service, and dropped the “+” from the name. Thus taking it away from their social network. So now you can upload a ton of pictures to their service for free. Some of the cooler features though is being able to search. With my pictures, seeing as I use so many smartphones and cameras to take pictures, I can easily search for “Galaxy S6” it’ll show me all the pictures taken with the Galaxy S6, as well as screenshots from the Galaxy S6. Which is pretty sweet. Google has also added a feature where you can share pictures – just the pictures you choose – with users using a link. But how secure is that really? Actually, it’s much more secure than you think.

On Reddit, a few users noticed that you could still access photo URL’s through incognito mode and various other ways that hide your identity. Sounds fishy right? Well what these URLs do is it uses a “password” so that people can’t just spy on your photos, but you can share them with other people if you’d so like. The “password” part of the Photos’ URL is about 40 characters long. Which makes it tough to duplicate it, or see all the photos in someone’s library.  “There are enough combinations that it’s considered unguessable,” Aravind Krishnaswamy, an engineering lead on Google Photos stated. “It’s much harder to guess than your password.”

Web traffic is also for Photos service is also secured by SSL, which means its secretive from anyone else on the network who might be listening in as well. Which is always important. So don’t worry to much about picture URL’s being available. It’s a type of URL that’s called “private-but-shareable” and Google isn’t the only one using it. Facebook and other sites also use it quite often. This way you can share photos without sharing the absolute URL of where you’re album on Facebook of Google Photos is. Which is equally important, because we don’t want all of our pictures public, right?