WordPress images unprotected

WordPress allows to publish  posts as private or password protected. The access control  seems to work for posts quiet well, but not for the images uploaded and linked from within the post. The images may be accessed using the corresponding URL directly, withouth any access control being enforced. So even if nobody has access to my post, anybody in the internet may get access to the  corresponding images, just by guessing the corresponding URLs of those images.  The private images are protected by wordpress by a mechanism called, security by obscurity.

You might say, that an attacker requires read-access to the private post first to get to know the corresponding URL of private pictures. Yes, but there is also a good chance to guess the URLs.  Let’s take a quick look at the URL of an image residing in wordpress library:

http://frehberg.files.wordpress.com/2010/03/dscf0553.jpg

It contains the blog domain, the date and the name of the image, as it has been uploaded by user that day.

Just imagine that someone has been on holiday, and the same day  publishing a number of public posts and private posts, the latter only for personal purpose, such as diary. If the corresponding images have been taken with the same camera, those holiday images will have sequence numbers within a narrow range. Some of those images ought to be kept private. But if uploading all images without changing the image-names, an attacker may get access to those private images guessing, using the publicly known image and its sequence number as base to start with. It may be sufficient to try sequence numbers within a range of +-30.

To avoid this kind of attack, one should not keep the image name assigned by the camera, but renaming all images being uploaded to wordpress library. Doing so, guessing would be much harder, and unauthorized access to non-public images  less likely.

In 2008 TechMixer documented something called a  Hotlink protection plugin which might be  related to this issue.

My recommendation is to take a closer look at this security issue. It might be a very bad experience for users discovering that the images of their very personal posts have been disclosed.