Are your photos truly safe?

July 2025, Ben Holloway, BSI Consulting

It’s time to rethink everything you knew about digital privacy.

Picture this: you’re lounging on a sunny beach, capturing blissful holiday moments to share with friends and family back home. With a few taps, those images are whisked away into the digital ether, safeguarded behind layers of passwords and encryption. But are they really?

We entrust our personal moments to photo-sharing platforms under the guise of unbreachable security. Yet beneath user-friendly interfaces and marketing claims, the true safety of our digital memories is far murkier.

With each upload, we’re giving a piece of ourselves over to an uncharted digital realm. The promise of privacy can’t be assumed. We must examine how these platforms manage and safeguard our most personal, intimate data and memories.

Get ready to rethink everything you thought you knew about digital privacy as we explore the unseen threats that lurk within “private” photo-sharing platforms.

Security through obscurity

During a penetration test for a web application, the functionality allowing users to upload photos was examined. Each uploaded photo was accessible via a unique URL generated by the system. The initial assumption was that these URLs would be protected by the same authentication protocols safeguarding other sensitive areas within the application. However, it was found that these images weren’t secured by any form of authentication at all.

The only barrier to accessing any uploaded photo was the complexity of its URL, which contained a highly unique identifier. This practice, known as “security through obscurity”, is widely regarded in the cybersecurity community as a weak and unreliable defense mechanism. The realization that these images could be accessed by anyone obtaining their direct URL, regardless of authentication status, raised immediate concerns about unauthorized access and the misuse of personal and sensitive images. This experience underscores the critical importance of robust security measures in protecting digital privacy, especially given the frequency of personal photo sharing today.

A closer look

The surprising findings prompted a deeper look into the security practices of leading photo-sharing platforms, specifically focusing on how these handle the privacy of uploaded images. Given the ubiquity of these services in our daily lives, understanding their approach to user privacy was crucial.

To gauge the level of protection afforded to personal images, a personal investigation was undertaken, examining the accessibility of photos stored on these platforms. The discoveries were startling:

• Despite the advanced technologies and sophisticated security measures you might expect from industry leaders, the privacy of uploaded photos was safeguarded by nothing more than a unique URL. This meant that any individual who possessed this URL could access the images, with no authentication required.
• Even more concerning was the realization that photos stored in supposedly secure locations were also vulnerable to this oversight.
• Even after deleting images, the URLs remained active, and the photos could still be accessed—some of which continued to be available several days later.

This discovery unearthed a concerning practice that wasn’t limited to a single application but was prevalent across several photo-sharing services. The reliance on unique URLs for the security of personal and sensitive images presents a significant privacy risk, highlighting a critical area for improvement in the way these platforms protect user data and maintain trust.

Prioritizing data protection

The reliance on security through obscurity is a clear call to action for both users and platforms to prioritize data protection. As users, it’s essential to:

• Be informed and cautious about where personal information is shared.
• Exercise vigilance. Always question and try to understand the security mechanisms that protect our digital data.
• Advocate for and demand that online platforms not only acknowledge these vulnerabilities but take decisive and transparent actions to fortify defenses against unauthorized access.

Platforms need to:

• Adopt more robust authentication protocols to safeguard user content effectively.
• Enhance transparency with users: Clearly communicate how photos and data are stored, accessed, and protected, offering users comprehensive visibility and control over their digital footprint.
• Introduce robust data lifecycle management: Ensure that deleted photos are irrecoverably removed from servers promptly, preventing unauthorized access even after users believe these images are gone.

This investigation reveals a crucial gap in digital safeguarding, emphasizing the need for an urgent reevaluation of privacy policies provided by digital services. It’s a stark reminder of the fragility of our digital footprints and the ease with which our supposedly private realms can be breached.

The digital age demands no less than a steadfast commitment to protecting user data, ensuring that privacy is not a mere afterthought but a foundational pillar of digital engagement. Let this be a call to action for users to have more awareness around the security and trustworthiness of digital ecosystems.