My private hidden photos are accessible to anyone! Major security breach
-
I have photos that are not in any of my pages or posts yet still anyone can go to my blog and find them. This is a massive security flaw.
Go to this page. You see 9 gallery thumbnails but when you click on a photo and then keep clicking, private photos that are not on any published posts or page will come up!
http://somethingtoread.wordpress.com/2014/08/15/gallery-with-fresh-uploads/
This is really, really, really not OK. I don’t see how anyone could use this site at all given that anyone can see your private material with just a few clicks.
The blog I need help with is: (visible only to logged in users)
-
To clarify: by clicking through to the gallery you get photos that are not in the gallery at all – they’re not in the thumbnails on the main page and they’re not there when I go to the gallery through my dashboard.
-
This is a known issue when linking Gallery images to Attachment pages. A Gallery linked to Attachment pages will show all the images that were uploaded to the same post, whether they were used in the Gallery or not.
Your options:
Change your site’s Media Settings to link Galleries to the Photo Carousel rather than Attachment pages. That way only the images that you use in the Gallery will appear in the Photo Carousel.Switch themes to one of the new ones that don’t have Attachment Page navigation. A short list can be found here: https://en.forums.wordpress.com/topic/attachment-page-navigation-missing-from-newer-themes?replies=6#post-1985169
If the photos are private, personal, don’t upload them to WordPress.com.
Let me know if you need more help with that.
-
. A Gallery linked to Attachment pages will show all the images that were uploaded to the same post, whether they were used in the Gallery or not.
That is not what’s happening. The photos in question were absolutely not uploaded to that post. They’re from a non-published post from 5 years ago.
That means no one besides me should be able to see them under any circumstances.
-
-
-
auxclass, please go back and read the original post. This has nothing to do with direct links. I’m not sure what gave you that impression because there’s nothing in my post that even vaguely alludes to that.
-
My answer was on point – please read what you have posted
They’re from a non-published post from 5 years ago.
That means no one besides me should be able to see them under any circumstances.
That means the pictures are in your media library – any one with a link can view them – just what I said –
-
Auxclass is correct, media published into the media library, regardless of post/page status, is public.
The post/page is private, but the media is not.
Without a public post/page, it would be near-impossible for anyone to guess what the media URL would be in the first place.
-
The only way to have truly private media uploads on WP.com is to have them on a private blog.
-
If a post or page is marked Private on a Public site, the media therein is not? Woah!
Is the same true for media on Public sites that have Password Protected posts/pages?
-
Yes, the media library is public if the blog is public, however without a public post/page, it would be near-impossible for anyone to guess what the media URL would be in the first place.
-
Even sleepy, something here is bothering me.
Have a closer look here. The OP is complaining about their photos being linked in Attachment page navigation when they don’t appear in the Gallery. They’ve deleted the original post they linked to in the first post, but there’s another Gallery in a page on their site that you can see this behavior in.
-
Hm, that is odd and definitely not behaving as it should. I suspect there is maybe a problem with the theme.
completelyriveting, if you check “Display images in full-size carousel slideshow.” at Settings -> Media in your blog’s Dashboard, does the gallery at http://somethingtoread.wordpress.com/2014/08/15/gallery-test-aug-2014/ move through images as expected?
-
As I said above, using the Carousel solves a number of ills, but what we need to know here is whether the OP’s Gallery shortcode includes IDs and whether there are other images attached to that post.
-
Auxclass, do not post in this thread any more. You either can’t or won’t address the problem, steadfastly refuse to acknowledge the problem as discussed in the original post, and are achieving nothing but wasting your time and ours. You skills will be useful in other areas but are not applicable here.
-
FINALLY some respondents are showing signs of understanding my question instead of mansplaining about matters that do nothing to solve it. Thank you; much appreciated.
macmanx: Yes, the never-posted images do *not* show up when I check “Display images in full-size carousel slideshow”. To phrase differently: checking “carousel slideshow” does cause the photos to display correctly and omits the never-posted photos.
justjennifer: When you first posted about linking galleries to the Photo Carousel, the reason I didn’t try that is you talked about “images that were uploaded to the same post” – but (as you now correctly understand) the images in question were *not* uploaded to the same post or in fact ANY post.
-
justjennifer:
we need to know here is whether the OP’s Gallery shortcode includes IDs and whether there are other images attached to that post.
I can’t tell if you’re asking for information from me. If so could you please clarify the questions:
– “shortcode includes IDs” – Do you want me to post some of the code (or is it called markup???) or look for something in it?
– “other images attached to that post”. It’s a gallery with 9 photos; I’m not sure what other images you’re referring to that could potentially be attached.
Thanks
-
Auxclass, do not post in this thread any more. You either can’t or won’t address the problem.
Auxclass is just a volunteer trying to help, and he told you the truth related to what you were asking about (it may not have been the answer you were looking for, but it was an important fact to state), please be respectful of that.
checking “carousel slideshow” does cause the photos to display correctly and omits the never-posted photos.
That is definitely a theme problem then, we’ll look into that.
we need to know here is whether the OP’s Gallery shortcode includes IDs and whether there are other images attached to that post.
Your gallery shortcode did not include any other IDs, this is definitely a theme problem.
-
- The topic ‘My private hidden photos are accessible to anyone! Major security breach’ is closed to new replies.
WordPress.com Forums 