Photo App shows all folders

manuelceja wrote:

WD Staff or Forum Monitors:  I and other users would feel much better about continuing to use your products, if you would acknowledge that this problem exists, suggest a timeline for when it will be fixed, and provide a temporary solution until you provide a permanent fix.

 

Thank you.

 

 

-MC.

There is no timeline to fix.  This is how the app works.  It is designed to show you all your photos.  If you want to share out folders for others to see, then you need to use WD2go. 

@Bill_S,

I’ll try again -

  1. I do *NOT* want to share my pictures with others.
  2. I have configured my device (EX2) for private (not shared) shares
  3. Access from Users of my EX2 vis wd2go works correctly - they can only see what I want them to see
  4. When the WDPhotos iOS app is use it does *NOT* respect the restrictions I’ve put I place to make other folders private.
  5. The WDPhotos iOS app displays every single picture on the EX2 no matter what User privileges/restriction I have configured for them.
  6. The WDPhotos app is *NOT* working correctly and needs to be fixed.

Please note that per this thread I am not only only MyCloud consumer that is experiencing this problem. It is reproducible! You can try it yourself and verify the problem!

If you or any WD staff is reading this post, please try this yourself on an EX2. If you cannot reproduce it - Great! Now tell me why I and others are experiencing this problem and what we can do do fit it.

Please, please, please do not ignore this problem.

I am baffled why this problem is being disregarded - it is real. It is a problem. It is a real big problem.

This is either a flaw with the WDPhoto app or the EX2 or both, either way it is an issue and it needs to be fixed. From everything that I have attempted to do I am not able to fix the problem. This something WD (you!?) need to do.

WD, it make no sense why you want to alienate your customers over this problem. If (when) you replicate hen problem I’m sure you will feel the same level of concern as us over this issue. Please investigate it, find the root cause and fix it!

Thank you…

-MC.

WD, please solve this problem. I bought the WD My Cloud Ex 2 a few days ago and I’m very disappointed about this - in my opinion - security issue. Now my famlify can’t use this app because we only want to see the photos in the public folder ‘Shared Pictures’. We also do not want to see the covers of music albums in the folder ‘Shared Music’ and  the covers in the ‘Shared Videos’ folder. 

Dear Bill_S,

I just bought your WD My Cloud product and have encountered the same issue as other have reported here. The WD Photo App displays all the folders in all shares to anyone who has access to the WD My Cloud device.

Note that I have read this whole thread and find that no WD Staff have made any attempt to explain why the problem exists and when they will fix if. If anything, they have actually proposed that this is the way the product is supposed to work. Surely not. There is actually a fundamental flaw in the way WD have implemented the application. The device creates an index of all the folders and image files in a single SQLite database stored next to the shares. The WD Photo App allows the user to see the entire contents of this database. In other words, the user can see all folders and image file names for the entire device. It should not do this.

One option is to filter the index based on the shares the user has access to. Or alternatively, and probably a better solution, is that you build a separate index for each share, and store that index within the share. Then you only allow a WD Photo App user to view the indexes they can actually access (because they are stored in the share, not outside of it).

Could you please provide some indication of when you are going to fix this problem? Also, could you please provide a method for turning off the building of this index. In other words, how can I stop the device from building the .wdphotos SQLite database so that I can properly secure this device and prevent non-authorised users from viewing the names of all folders and image files on the device?

Thank you,
Peter

As I had planed to buy a WD My Cloud 3To, this afternoon…

I justed wanted to thanks people who pointed out this security issue on share permission with picture.

And now have to find another cheap and simple NAS without security issue…

Regards

French Tag : faille de sécurité avec les photo

The fact that WD Photos shows all the folders on the drive, regardless whether they are public or private, is how the application is meant to work.  It is not a bug, it is how the application works

Now, having said that, I do understand that it may not be an agreeable user experience.  So, I have pushed this once again to our product people as a feature request - that private folders stay private.  However, I cannot promise what will be done about it, or if it will even be with the WD Photo software.  Moreover, if you really think this a security issue for you, then you need to remove the app from your device. 

As I tried to say in the earlier post, if you are looking for something more secure (read private), then you need to consider using the WD2go app for you photos.  You have much more control over your private shares than you would with WD Photos, which you have none.  Unfortunately, as WD Photos is a photo browsing app, WD2go is more of a file serving app.  You won’t get the pretty thumbnails you get with WD Photos, but you’ll get the security. 

I’m not very happy with the reply of Bill_S; “it is how the application works” is even worse than a bug, it means that this security or privacy issue will never be solved. Don’t you agree with me that private should be private? WD photos, with all those pretty thumbnails - yes I agree - but also with those useless en worthless thumbnails of our long and wide folder-trees, and pictures I don’t need or want to share. Or thumbnails of music album covers, and so on. Why is that “as it works”? It shouldn’t work like that. And, why should I remove this app? It’s almost the same as removing the EX2, a strange advice, you can’t be serious! By the way, WD2go app doesn’t exists (apple store). 

We are not using WD MyCloud Ex2 right now, only Apple’s Timemachine is running. A little bit too expensive for only this sercice! The iTunes service is also worthless: no home-sharing, so we can’t stream our music via the EX2. The ideas of WD with the EX2 WD are good, that’s why I’ve bought the EX2, but the experience is very very disappointing. WD photos, with only the pretty thumbnails of the public of configurated shared folders, what a great product that would be!

1 Like

Dear Bill_S,

I’m afraid I cannot click the Kudos star just yet. :slight_smile:

I can accept that the app was design to work just like you say, as that is the choice of WD as the vendor. However, now that the app is in the marketplace it is clear that some consumers would prefer it did not work that way. And you have acknowledged that and made your product people aware of this.

One point I would like to make is that security is controlled by the server, not the client. So simply removing the app from a device is not sufficient, as others with a device of their own are free to install the app and use it as they wish. That said, we are only talking here about a home network (at least in my case) so we do have some control over which devices have access and who owns those devices, so we are aware of who might be viewing the contents of our MyCloud device via the Photo app. The issue is that we would like to use the device to store a our private information, and at the same time use the device as a way to share all our holiday photos, etc. with other family members.

So given I am not satisfied with the way the Photo App currently works I have taken the step to disable the access at the server for the time being. My network users can use their laptops to map drives to the shares and view thumbnails to browse folders of photos they are authorised to view. On their mobile devices it is not quite as convenient.

Can I just say that apart from this security issue, I am very happy with the device. It does what I purchased it for, ranging from being a storage area that is available to all devices on my wireless network, a place to store both private and shared content for all members of my family, plus a place to backup files. I am impressed with the ease to set it up, and also the flexibility to define as many users and shares as I need, and assign specific access rights to those users. Also, the ability to login into the device (via SSH as root) is great (I do not like products which are locked down and restrict what the buyer can do – a large vendor who prefixes their products with an ‘i’ comes to mind). So I am really happy with the device but am just a bit disappointed that the Photo App was designed too much towards ease of use instead of honouring the access rights of the users of the MyCloud device.

Regards,
Peter

wardp025 wrote:

Dear Bill_S,

I’m afraid I cannot click the Kudos star just yet. :slight_smile:

 

I can accept that the app was design to work just like you say, as that is the choice of WD as the vendor. However, now that the app is in the marketplace it is clear that some consumers would prefer it did not work that way. And you have acknowledged that and made your product people aware of this.

 

One point I would like to make is that security is controlled by the server, not the client. So simply removing the app from a device is not sufficient, as others with a device of their own are free to install the app and use it as they wish. That said, we are only talking here about a home network (at least in my case) so we do have some control over which devices have access and who owns those devices, so we are aware of who might be viewing the contents of our MyCloud device via the Photo app. The issue is that we would like to use the device to store a our private information, and at the same time use the device as a way to share all our holiday photos, etc. with other family members.

 

So given I am not satisfied with the way the Photo App currently works I have taken the step to disable the access at the server for the time being. My network users can use their laptops to map drives to the shares and view thumbnails to browse folders of photos they are authorised to view. On their mobile devices it is not quite as convenient.

Can I just say that apart from this security issue, I am very happy with the device. It does what I purchased it for, ranging from being a storage area that is available to all devices on my wireless network, a place to store both private and shared content for all members of my family, plus a place to backup files. I am impressed with the ease to set it up, and also the flexibility to define as many users and shares as I need, and assign specific access rights to those users. Also, the ability to login into the device (via SSH as root) is great (I do not like products which are locked down and restrict what the buyer can do – a large vendor who prefixes their products with an ‘i’ comes to mind). So I am really happy with the device but am just a bit disappointed that the Photo App was designed too much towards ease of use instead of honouring the access rights of the users of the MyCloud device.

 

Regards,
Peter

Actually, WD Photos was always meant to be more of a personal app, but there’s nothing wrong with sharing it.  Also, security is not at risk, if you decide you no longer want to share photos.  All you have to do is go into the dashboard and remove the WD Photo permission from each of the users you no longer want to share with.

This “feature” makes no sense to me.  This is equivalent to allowing public access to facebook pictures that are marked as private.

This “feature” also allows the entire directory structure of private shares to be viewable (although not the content itself) through the WD photos app.

This needs to be fixed ASAP and is a highly critical flaw.

I’d like to also point out that this issue is not seen on MyBookLive products as it only allows pictures from Shared Pictures directory to be viewable through WD Photos App.

After upgrading to MyCloud, all pictures on all shares (even private) are viewable through WD Photos.  I preferred to only allow pictures from Public\Shared Pictures to only be viewable through WD Photos App.  Why was this change made?


Bill_S wrote:


Actually, WD Photos was always meant to be more of a personal app, but there’s nothing wrong with sharing it.  Also, security is not at risk, if you decide you no longer want to share photos.  All you have to do is go into the dashboard and remove the WD Photo permission from each of the users you no longer want to share with.

Sounds like a cop out answer Bill.  As community manager, it should be your duty to report these flaws to the developers and not come up with excuses to cover up for their mistakes.  Let’s go back to the drawing board and listen to what the customers want out of these apps.  

1 Like

Bill_S wrote:-

Actually, WD Photos was always meant to be more of a personal app, but there’s nothing wrong with sharing it.  Also, security is not at risk, if you decide you no longer want to share photos.  All you have to do is go into the dashboard and remove the WD Photo permission from each of the users you no longer want to share with.


Bill_S, could you please point out exactly where on the WD My Cloud dashboard this ‘WD Photo Permission’ setting is?? I am running the latest firmware, and I can’t find it on the WD My Cloud dashboard I am using. Nor is there any mention of it in the PDF manual I downloaded. Maybe you could post the link of the PDF manual where this feature is documented.

Thanks. 

fuscoeeng11 wrote:

Bill_S wrote:

Actually, WD Photos was always meant to be more of a personal app, but there’s nothing wrong with sharing it.  Also, security is not at risk, if you decide you no longer want to share photos.  All you have to do is go into the dashboard and remove the WD Photo permission from each of the users you no longer want to share with.


 

Sounds like a cop out answer Bill.  As community manager, it should be your duty to report these flaws to the developers and not come up with excuses to cover up for their mistakes.  Let’s go back to the drawing board and listen to what the customers want out of these apps.  

I’ve made no excuses.  I’m simply telling you how the software works.

wardp025 wrote:

 

Bill_S wrote:-

Actually, WD Photos was always meant to be more of a personal app, but there’s nothing wrong with sharing it.  Also, security is not at risk, if you decide you no longer want to share photos.  All you have to do is go into the dashboard and remove the WD Photo permission from each of the users you no longer want to share with.


 

Bill_S, could you please point out exactly where on the WD My Cloud dashboard this ‘WD Photo Permission’ setting is?? I am running the latest firmware, and I can’t find it on the WD My Cloud dashboard I am using. Nor is there any mention of it in the PDF manual I downloaded. Maybe you could post the link of the PDF manual where this feature is documented.

 

 

Thanks. 

You remove cloud devices by going to the Cloud Access tab, in the Dashboard, clicking on it, then clicking on the user you created to share your photos through.  You’ll find the devices on the lower right of the page.  You just need to click on the trashcan to remove the devices showing WDPhotos you don’t want having access.  It’s on page 61 of the manual. 

By the way, regarding WD Photos showing all your photos, it explicitly says in the manual that WD Photos will show your entire photo collection to anyone you want to share with.

On page 63 of the manual, it says, and I quote,

"Entertainment is happening all around you. Now you can capture every moment of it and send it to your device for access on any page in your home. Take a photo or video clip on your smartphone or tablet and upload it directly to your WD My Cloud device. Then you will have new files waiting for you so you can enjoy them in your entertainment center.

Show off your entire photo collection, that can include thousands of photos, without taking up tons of space on your smartphone."

I’m guessing by your reply that there is no plan to provide a fix for this “feature”.  It doesn’t seem to me that the fix in the WD Photos app should be all that difficult considering that there is no issue in the WD MyCloud app.

Dear Bill_S,

Thank you for taking the time to point me to the relevant sections in the manual. However, you have overlooked the important information on page 64 which states:-

  1. You have three options for connecting to the WD My Cloud device:
     Found in Network: If the mobile device is connected by Wi-Fi to the same Local
    Area Network as the WD My Cloud device, the app is automatically activated.

So I can happily send all the devices I like to the trash can, but if they are on my local network then the user of the device can easily reinstall the app and it is automatically reactivated. I have doubts you have ever used the product.

You should try to understand the scenarios we are all describing instead of trying to defend the product’s behaviour without actually knowing how it works.

Plus, you make a quote about ‘showing off your entire photo collection’ to justify the behaviour. Go back and read the posts (and the TITLE of the this post). We are not complaining about whether we can share our photos. We can put them on a public share if we want to. What we are complaining about is that the Photo App will display the entire folder structure for every share, whether private or not.

And as the previous post says, if you have made the MyCloud app behave correctly, then it can’t be so difficult to fix the Photo app to do the same.

Phamdh wrote:

I’m guessing by your reply that there is no plan to provide a fix for this “feature”.  It doesn’t seem to me that the fix in the WD Photos app should be all that difficult considering that there is no issue in the WD MyCloud app.

There is no need to “fix” anything.  It is a personal app.  As the manual says, if you share, you share everything.  That’s why WD2go was designed - to give you the capability to specifically share what you want to share.

wardp025 wrote:

Dear Bill_S,

 

Thank you for taking the time to point me to the relevant sections in the manual. However, you have overlooked the important information on page 64 which states:-

 

  1. You have three options for connecting to the WD My Cloud device:
     Found in Network: If the mobile device is connected by Wi-Fi to the same Local
    Area Network as the WD My Cloud device, the app is automatically activated.

 

So I can happily send all the devices I like to the trash can, but if they are on my local network then the user of the device can easily reinstall the app and it is automatically reactivated. I have doubts you have ever used the product.

 

You should try to understand the scenarios we are all describing instead of trying to defend the product’s behaviour without actually knowing how it works.

 

Plus, you make a quote about ‘showing off your entire photo collection’ to justify the behaviour. Go back and read the posts (and the TITLE of the this post). We are not complaining about whether we can share our photos. We can put them on a public share if we want to. What we are complaining about is that the Photo App will display the entire folder structure for every share, whether private or not.

 

And as the previous post says, if you have made the MyCloud app behave correctly, then it can’t be so difficult to fix the Photo app to do the same.

 

Those three ways on page 64 only work if you are given access to the photo collection.  Once you remove the other person’s device from your My Cloud dashboard, they no longer have the capability to access the drive, except unless they are on your local network and you haven’t password protected the drive.

I just tested your scenario and could not access my drive on the local wireless network.  It wouldn’t let me get any further without a password.  Maybe you’re not fully understanding how to remove devices from the My Cloud, so if you want I can have support help you.

If there was a real security issue, then we would get on it right away.  But if it’s just how you might want the app to work, then you really need to get used to using WD2go.  That app gives you the control you want.

I recently bought a My Cloud device and I’m experiencing the same problem. I find it unacceptable that this product allows for every media file to be exposed (shared) regardless of user’s selected configuration. Similar to some other user who posted before, I have the need to store work related material that should not be shared with other users in my network.

I can accept that the default behavior is as stated, but there should be a way for the administrator to stop the sharing. Restricting other users from installing the app on their devices is not a solution.

Otherwise, if this problem cannot be solved soon, I will be forced to find another product (from another vendor) to replace my device.