Google Photos is a pretty awesome app, though the company’s powerful face-scanning technology can be as creepy as it is useful. Now the new service may be facing another privacy issue that leaves your photos hiding in plain sight.
Open up the app on your desktop, right click on a photo, and opt to see the link in a new tab or window. The page Google generates is no longer part of the password protected service. Instead, it’s out in the wild, hidden by a randomly generated 40-character URL that essentially makes it impossible for anyone to find your pictures without a direct link.
This bug (or feature according to Google) was first noticed earlier this month by a Reddit user going by the name RossFletch. It turns out this is a pretty common practice, and it’s used by Facebook as well. The Verge notes that there are a near infinite number of possible URLs (10^70 to be mathematical about it). Google also encrypts Photos web traffic and has a team of engineers devoted to blocking possible hacks.
“There are enough combinations that it’s considered unguessable,” Aravind Krishnaswamy, an engineering lead for Google Photos, told The Verge. “It’s much harder to guess than your password.” So at the end of the day your photos are still safe with Google, even if they aren’t actually password protected.