Sunday, August 12, 2012

Photo site security hole may leave your nude photos exposed

17 hrs.

Remember Photobucket? Yes? You still have an account on there? You don?t happen to have any? *squints eyes, looks around*?old nudes?in there, do you??

A hole in Photobucket's privacy has made it so that private albums can be accessed with little work, using a "fusker" program. ?While recent reports about how easy it's been to hack and delete someone's online existence through recently rectified holes?security holes in Apple's phone verification are frightening,?this opening on Photobucket?has remained open for at least five?years. A request for comment from?Photobucket has not been answered.

For a long time, I?ve seen threads on 4chan of images of girls? ?hacked Photobucket? images, but I typically ignored them, having little interest in photos of possibly underage nude girls. I also assumed they weren?t really ?hacked? and were just ads for a pornography site (there?s plenty of that kind of spam on 4chan).?

It was only recently that I noticed what was actually going on in one of these threads ??one person started a thread saying they knew how to ?fusker? Photobucket accounts, and if anyone sent in the username of a girl whose private photos they wanted to see, he?d access them for them. Plenty of people responded with links to the Photobucket accounts of female acquaintances, and sure enough, OP delivered private photos of the girls in underwear.

How is this possible??Photobucket handles privacy levels differently than other photo sharing services like Flickr or Facebook. Instead of setting a privacy level at the individual photo, you set the privacy level ("Everyone," "Private," or "Password-protected") at the album level. If you select Private or Password-protected for an album, the photos won?t show up in search, and someone browsing your profile wouldn't be able to find them. However, each photo is still accessible via a direct link to its URL.

This means that if I put photos in a private or password-protected album, I can still send a direct link to an individual photo to my friend, and she won?t need a password to view that photo. If she wants, she can pass along that link to any of her other friends and they can also view over the Photobucket site, no problem, regardless of how I set the privacy level on the album. This is meant to be a feature ? in theory, only an album's owner would be able to share the link in the first place, since the only obvious way to find its url in the first place is to have access to its album.

Problem is, the URLs Photobucket uses for these pictures use the photos' actual file names, and file names aren't that hard to guess. For example, if the photo I want to send to Sally is DSC_003.jpg, she can guess that there?s also an DSC_004.jpg in that album. And maybe I don?t want her seeing DSC_004.jpg.

Of course, your friends probably aren?t going to sit there and guess every single possible file name. That would be time-consuming, and even harder if they hadn?t seen that first file name to give them a hint. That?s where "fusking" programs come ? you just enter the username and album name, and the fusking program will run through likely guesses and pull up any images it can find.

Who would want to do this? Corporate espionage? The CIA? Your boss? Of course not! It?s all dudes who want to find nudes of that hot girl in their class. Instructional videos on how to download and use fusking programs are open about the fact that they?re looking for girls? private photos. In one video, the motivation for fusking is clear:

Have you ever, like seen a really hot chick on Myspace or something, and she?s got a picture on her front page? Like on her profile that she put it on there with HTML with a Photobucket link, and then you go to the username that?s on the Photobucket link, and you get to the site, and the fricking name is private? It just PISSES you off, you know?

Scraps of evidence of guys using fuskers to get girls? private photos exists in message boards. In a discussion thread about how Photobucket took down a photo that was only moderately risqu? (Photobucket was notoriously strict about taking down pornography and nudity), someone chimed in, ?I've lurked and fuskered Photobucket and have downloaded pictures off of girls private and public Photobucket pages that show way more than that.?

I thought that this was all way in the past ? a 2007 moment of folly. However, very recently, a friend had this happen to him, or more specifically, his ex-girlfriend?s photos. He discovered that someone has posted photos of his ex in a NSFW sub-Reddit that he had taken years ago, and he knew the only place she would have stored the photos was her private Photobucket account. The comment on the photo posted to Reddit said that the person had found the photos on 4chan, where they had been posted in response to a fusking request. This meant that someone had very recently targeted his girlfriend?s years-old Photobucket account that she had likely forgotten even held those photos.

Sure, Photobucket isn?t exactly as popular as it was back in 2007 when Myspace bought it for around $300M. Facebook has more or less killed Photobucket for sharing photos with friends and family, and sexting via smartphone with better cameras has eliminated the need to store X-rated photos of yourself on a photo-hosting service. Today, Photobucket is primarily a silent partner to Twitter, which uses its infrastructure for t.co photo hosting (those photos are not vulnerable to the same kind of fusking).?

Just as my friend?s ex-girlfriend, many people have Photobucket accounts left from the Myspace days that are just gathering dust, potentially with some risqu? photos in ?private? albums. If you were dumb enough to be taking nude photos (don?t ever take nude photos. In fact, don?t be nude, ever. Just avoid the whole thing), you better delete those?pictures, ASAP, people.

More from BuzzFeed FWD:

Source: http://www.technolog.msnbc.msn.com/technology/technolog/photobuckets-security-hole-may-leave-your-nude-photos-exposed-935192

nfl 2012 schedule gmail down tim lincecum ryan oneal file taxes online tupac shakur sledge hammer

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.