A few days after Google’s big Photos rollout, a user on Reddit noticed something fishy. “I was browsing through my photos and wanted to see the full size of an image so I right-clicked,” RossFletch wrote. That took him to an open URL, still accessible when he was in incognito mode. By the logic of Photos, the image should have been private — he hadn’t clicked the share button — but through this URL, it was available to anyone who typed in the right string of characters. He even pulled the image using Wget, a web-scraper utility, routed through a virtual server to hide his identity. However he came at the URL, his picture still came up. “How is this possible when this image isn’t shared with anyone?” Fletch asked.