Accessing a misconfigured directory is a gray area legally. In the United States, the Computer Fraud and Abuse Act (CFAA) has been interpreted to mean that accessing a public folder (even one with private intentions) may not be a crime—until you download or modify files. However, in the European Union, accessing private data without authorization, even via an open directory, can violate the GDPR.
Bottom line: If you stumble upon a parent directory index of private images that does not belong to you, do not click through. Do not download. Instead, contact the website owner or their hosting provider to report the exposure responsibly.
While it may sound theoretical, the exposure of private images via directory indexing happens constantly. parent directory index of private images top
In each case, the damage was entirely preventable.
A malicious actor who finds a parent directory index of private images top has struck gold. Here is what they can do: Accessing a misconfigured directory is a gray area legally
You might wonder: Why would private images ever appear in a public index? The answer is almost always human error or misconfiguration.
Add Disallow: /private/ to your robots.txt file. While not a security measure (malicious actors ignore it), it prevents honest search engines from indexing your private directories. In each case, the damage was entirely preventable
Important: Only perform discovery on assets you own or have explicit authorization to test. Unauthorized scanning or accessing private content may be illegal.