I recently discovered that Rover profiles, which typically have many photos of your pet in your home taken by the sitter for daily check-in, are protected from the public by only an easy-to-guess URL.

  Ex. https://rover.com/members/name-location/dogs

Anyone with a rover account can sign in to rover and scrape those photos. Those photos are highly likely to contain information about your home location (delivered packages, photos out a window of your neighborhood, etc.), home entry (physical key rack, garage-pin on the fridge, etc.), and what dates/times you are out of town (picture timestamps, etc.).

Worse, the photos can only be deleted by the sitter.

--

Recommend fixes for Rover:

1. Photos taken by the sitter, of your pet, at your home should:

1.a. Be private by default

1.b. Only have expanded access (on the sitters profile, or to the public) if you grant it via a standard request-accept flow.

1.c. Should be able to be deleted by you from the platform.

2. Sitters should be trained to not take or upload any photos on the platform with any personal, location, entry, or date/time information. If they do, there should be course correction and or removal from the platform.