PLEASE NOTE: The site(s) I am about to show you just happen to be the very first result in Google for the search term I used and the domain shows as bludomain6.com. I am purposefully not going to display any real photographers domains in these shots as to not associate any photographers with this article. However, any and all of these can be seen by anyone with Google so I’m not showing you anything proprietary or anything that is not already in the public eye.
While researching this article I stumbled upon one specific search term. One that returned a shocking number of sites with the same wide open folder structure. I was able to click thru gallery after gallery of images using only Google and my internet browser. Family photos, seniors, engagements sessions and yes even boudoir images. Thousand upon thousands of images spread across many different photographers websites all with the same folders. (No I’m not typing the search term out but you can see it in the image above. I’m trying to protect photographers.)
Then I noticed the trend. Most, if not all of these websites, were created by the very well known photography template company BluDomain. Let’s look at this a little bit closer before we point any fingers and remember that for my search above Google returned 36,500 results. That’s a whole lot of photographers with exposed image files.
Would it shock to know that this precise folder (the one I was viewing openly and freely on site after site) is often used by photographers as their PASSWORD PROTECTED PROOFING galleries. That’s right, I (or anyone with access to Google) could now potentially view files not accessible via the “frontend” of a photographers website without even knowing their password.
As I stumbled thru the gallery after gallery looking at random photographers photos I noted that many of them were marked “PROOF” . So I immediate went to the proper URL for a few of the photographers sites and noticed straight away that the images I was seeing inside of /wedgalleries/ were not accessible thru their proper website navigation. Hmm I thought, as I stumbled across some boudoir client nudes on a photographers site I thought to myself “I wonder if they know about this?” so I did the logical thing and picked up the telephone and started dialing.
The photographer who picked up was “FLOORED” when I described to them the topless photo of their client that I was looking at on their bludomain hosted website.
I’m totally shocked and scared that these images are out there. I want to find out how many people have seen these already. It’s eye opening!
This individual (whose name we are not using in order to protect their business) expressed a bit of anger to me as well as they could not believe that the images were still online at all, because according to them they had deleted the gallery using the bludomain client interface for their site. The photographer in question immediately logged in via FTP and began deleting images to protect their photos from the prying eyes and Google.
…Security on the images clients did not want the world to see is very very important to me. We pride ourselves on keeping images confidential, and finding out there was a leak in this security is awful. I am so thankful to Mark (DWF tech ops director/blogger) that he brought this to my attention. He has potentially saved me from problems with my clients and our businesses financial future.
I will be checking for security instead of trusting someone is doing their job. I will be moving to a new hosting for my image gallery so I can feel confident with the security around our images.
I will also keep checking this in the future. To make sure our standards for security are met. Today was a very eye opening day.
To the credit of BluDomain they rectified this particular photographer’s situation rather quickly saying…
I am very sorry that happened. When your site was installed, a file that normally protects against folders from being directly accessible was corrupted. This corrupt file has been repaired, and the folders are no longer directly accessible… (BluDomain)
Does that mean that this particular error occurred on all of those BluDomain photographers websites? The photographer in contact pressed on and result was a note from BluDomain that states they are working on a script that should fix this issue across all of their clients sites. Here is an excerpt from that email:
We have a script written that will prevent this from occurring on all sites. It is being implemented now. By the end of the day that will no longer be an issue. Thanks for bringing it to our attention… (BluDomain)
UPDATE: Good news for all you BluDomain clients our article research may have saved your business butt. As of the moment of publishing, BluDomain does appear to have fixed the problem and I now encounter the following error. “Error” being a good thing in this case.
The moral of the story. Don’t put anything online that you wouldn’t want the world to see. One simple mistake by you or your hosting company could potentially put your business in jeopardy.
In Part III of our series we’ll discuss how you can protect yourself and your images online. Until then DWFers are discussing these blog posts on the forums. (membership required) or read part I.
Back Home
10 Comments at "Peek-A-Boo I See You and All Your Photos Too (Part II)"
[...] So what do you think? Are your images safe? Click to read Part II… [...]
this is insane and completely rediculous! I just found more boudoir sites and contacted them as well, maybe it was one you contacted, idk! But they’re images were wide open.. how disapointing of bludomain
So judging by Katrina’s statement, bludomain really hasn’t fixed the problem at all. Scary! I’ll be logging in via FTP and deleting my old images also – thankfully I haven’t done any boudoir shoots yet! Thanks Mark!!
WOW. I thought they had fixed it. BTW if anyone at BluDomain wishes to comment I’ll be happy to publish their comments here and share them with our readers and forum membership.
wow, I could see loads of images. My bludomain betsy site was recently hacked and redirected to some russian site. My hosts said they had got in through a hole in the code and altered the php
they don’t seem bothered
“The photographer in question immediately logged in via FTP and began deleting images to protect their photos from the prying eyes and Google.”
If Google has indexed them, they are most likely within their image search still floating around.
The issue is a simple fix on the server side of things. I used to run a hosting company for bloggers, but our servers were *ALL* set up so that if you navigated to a directory that didn’t have an index.html or index.php file, you could not see all the files within the directory.
A FAST and easy fix for users? Upload a blank text file named index.html to your server. That way, if someone navigates to a directory, the will see that blank file. They will NOT see your server structure then. You have to do this for every gallery directory.
It’s not fixed, all those images are in the cache of Google. I looked today at the sites and then pulled up the cache files.
[...] issue has been written about in a fair amount of detail on Digital Wedding Forum and the author there had the good grace to give warning to the photographers he was talking about. [...]
Bravo, I hope these people realize how lucky they are and respond accordingly!
I see a new slogan:
“Putting the Blu in BluDomain”.
Comment Now!