Blog: Disney's PhotoPass (2012-09-10)

During our vacation this year, we also visited Disneyland California, since that's something we heard about already a lot and wanted to make our own picture of. One "service" provided there are Disney-employed photographers that take pictures of your visit for later purchase. This is called Disney's PhotoPass.

I have some points of criticism about that, however, and also want to point out a "security flaw" which allows to easily download preview pictures in quite good quality and high resolution without the need to purchase them. Last week I notified their support about all that is to follow and they promised to be in contact about my message no later than 48 hours in an automated reply, but all I've got since then is a message telling me that my "comments have been shared and taken seriously"—with no further concrete reference to any of them, and besides, the download as discussed below still works for me right now. So I have my doubts about them taking the comments seriously, and thus feel no obligation to keep that secret. Here you are.

But before I come to the download-thing, let me share some general comments I have. Since my general impression (of the PhotoPass, not Disneyland itself!) was rather negative, I want to start with a positive remark:

  1. All PhotoPass photographers were readily available to take pictures not only with their own but also with visitors' cameras. So you could take your own pictures rather than having to buy them from Disney. In general, all employees were really friendly and helpful; but this is of course something to expect from the self-proclaimed "happiest place on earth".

And now, two things I find really negative:

  1. In order to use the PhotoPass, you have to register an account. That's ok with me so far, but in addition to your email address (which is used as username), you also have to provide your street address and phone number! I really don't see why they would need my phone number at all, and also the street address is only necessary for shipping and billing. So why can't one at least preview the pictures without providing both? The only reason that comes to my mind is that Disney wants to collect as much data about its customers as possible.
  2. The prices are really, really, really expensive. And I really mean expensive. In my opinion, it feels much like trying to make money out of children's influence over their parents; in Europe, direct addressing of children in TV advertising is illegal for example. If you want to buy a CD with all photos on it, it is $69.95—but nicely enough, the second one is only $19.95. And if you want to only download a photo, it costs $14.95—yes, per photo. I couldn't believe that at first and thought it was for a bunch of pictures, but later found it clearly stated.

Now to the "problem" allowing high-resolution photo downloads from their preview website: The website allows for "editing" photos (which means adding borders and other stuff to them), and for this, a page is provided that sends preview-versions of the photos. By default, they are relatively small (400x267 pixels for a landscape format)—however, the script receives the desired size as HTTP GET parameter, which is not checked. Thus it is very easy to provide a fake parameter to get larger sizes. There's also a parameter for the desired JPEG quality, but it seemed to me that the resulting image still had some minor compression artifacts even when changed to 100. The quality was not bad, though, in my opinion for my tests, and I don't know if the "official" picture downloads are different.

Here comes the step-by-step guide: Open up the PhotoPass account and go to the picture editor. Then (using a Mozilla browser like Iceweasel) select "View Background Image" from the context menu over the preview picture, and you should see the picture alone on a page. The address bar shows something like this:

The emphasised parts are the ones you probably want to change: Quality can be changed from 80 to 100, and the width to any desired value. If you change 400 to the empty string (resulting in width=), you seemingly get a kind of default resolution which is 1274x849 pixels. The address should then look like:

Now you can save the picture and you're done. Note that you may be violating their terms of service or something if you keep the picture and don't just want to verify this bug exists for yourself.

As a final remark, another security problem is that once you have the address, you can use it to show the picture even when you are not logged into your account. Since the picture ID is required for that and it seems to be a Version 4 UUID, this is probably no severe problem, as the ID is hard to guess if you don't have access to the picture in the first place. Nevertheless, an additional access check couldn't have hurt in my opinion.

Copyright © 2011–2019 by Daniel KraftHomeContactImprint