Photobucket is not as popular as it used to be back in the good old days, but it’s still used by a number of internauts, not to mention the fact that it’s utilized by Twitter for hosting images. As it turns out, there’s a serious vulnerability in the service that allows almost anyone to gain access to private pictures.
According to Katie Notopoulos of BuzzFeed FWD
, all an attacker needs is a fusking
application – a piece of software that’s able to extract images from a web page.
The issue is not exactly new. It has been used on numerous occasions to obtain adult pictures from the accounts of unsuspecting female users.
Many of the “secret” pictures posted on 4chan are obtained by using these methods and tens of tutorials on how they can be obtained have been posted, some of them dating as far back as 2009.
However, as it turns out, many people are unaware of the issue, and Photobucket hasn’t done much to prevent the phenomenon.
So, how does the attack work?
When pictures are published on Photobucket, the account holder is asked to select if they’re public, private, or password protected.
While the last two options should secure the pictures, they somewhat fail to perform this task. This happens because if the image’s owner sends another user the link that points to them, the recipient is able to view them, even if they’re marked as password protected or private.
If the image’s URL is something like http://photobucket.com/image/user/DSC_002.jpg
(which is standard for many cameras), the one who possesses this link can check out other pictures in the album as well, simply by changing the number of the picture.
For instance, you want someone to see the “DSC_002.jpg” picture from an album, but you don’t want them to see “DSC_003.jpg.” Well, there’s no way you can prevent that.
Furthermore, with a fusking application, all the pictures can be extracted with even less effort, since the program does all the guessing for you.
So, for the time being, the issue remains unaddressed and the only response that Photobucket representatives have is actually a piece of advice. They’ve told
The Huffington Post that they recommend customers to “scramble” the names of photos to ensure that they’re harder to extract.
Here are more details
on how to do this.