Grabbing original images from Flash-based Lightroom galleries
Published by Rich December 31st, 2007 in technology, webdev, photography, security.I can see how the Flash-based photo gallery option in Lightroom is so popular. It’s dead easy to create one, and since the Flash interface hides original filenames, it makes it more difficult for people to steal original image files.
I was interested in another person’s photos because I wanted to view the EXIF data. However, I wasn’t able to do so due to the Flash interface. I figured I’d poke around to see if I could get past this limitation.
Simple answer: Append “/bin/images/large” to the base URL of the gallery. If directory browsing is enabled, you’ll get right through to the largest version of the images.
Digging deeper: I feel like I use Wireshark for just about everything; it’s way more than I need, but does the job. Here’s another such case where I use a packet capture just because I’m comfortable with it.
Since I didn’t know what file structure Lightroom used (and I didn’t use Google to find the answer, previously posted here), I captured a session of browsing a gallery. I looked for all the HTTP GET requests, and saw requests for JPG files. I tried browsing to the file path, and got a listing of all the image files.
If the server disallowed directory browsing, then I’d have to go through the whole album and note all of the GET requests for each image. A pain, but still very much doable.
Countermeasures to this kind of snooping include: disabling directory browsing, or only allow SSL (which would prevent me from doing a packet capture).
0 Responses to “Grabbing original images from Flash-based Lightroom galleries”
Please Wait
Leave a Reply