Memo to CEOs: When you have a privacy or security leak, admit it, fix it, and move on.

There’s a hilarious story over on Google Blogoscoped about a massive privacy leak on SmugMug and the company’s attempts to deny that it’s a bug or could be easily fixed.  Such denials were popular in years past but most companies have learned better.

The hole is that the "private" galleries over on SmugMug have easily guessable URLs like http://www.smugmug.com/gallery/4210001, http://www.smugmug.com/gallery/4210002, etc, so it’s easy to enumerate and crawl all of the private galleries. 

This is easy to fix– just include a long, unguessable identifier in the URL (a GUID like b87ef4f0-d03e-11dc-95ff-0800200c9a66, for example.) 

When informed of the problem, SmugMug called it expected behavior and claimed that the guessable URLs were essential to sharing.

Thanks for writing. This is expected behaviour. A private gallery just means that that gallery will not show up on your Smugmug homepage but it is accessible by knowing the direct URL to it.

The CEO added that their system "wasn’t built for guids" and that it would be an "extremely expensive proposition" to add them. Classic!