Flaw in Photo Booth Maker’s Website Exposes Customers’ Pictures
According to a security researcher, a photo booth maker’s website is exposing pictures and videos of its customers online due to a simple flaw in its website where the files are stored.
Meanwhile, the researcher, who goes by Zeacer, alerted TechCrunch to the security issue in late November after reporting the vulnerability in October to Hama Film, the photo booth maker that has franchise presence in Australia, the United Arab Emirates, and the United States, but did not hear back.
Security Flaw Leaves Customers’ Data Exposed
Consequently, Zeacer shared with TechCrunch a sample of pictures taken from Hama Film’s servers, which showed groups of clearly young people posing in photo booths.
However, Hama Film’s booths not only print out the photos like a typical photo booth, but booths also upload the customers’ photos to the company’s servers.
Company Fails to Respond to Security Concerns
Therefore, Vibecast, which owns Hama Film, has yet to respond to his messages alerting the company of the issues.
Moreover, Vibecast also hasn’t responded to several requests for comment from TechCrunch, nor did Vibecast’s co-founder Joel Park respond to a message we sent via LinkedIn.
Security Flaw Continues to Expose Customers’ Data
As of Friday, the researcher said the company has still not fully resolved the security flaw and continues to expose customers’ data.
However, when Zeacer first found this flaw, he noted that it appeared that photos were deleted from the photo booth maker’s servers every two to three weeks.
Limitations of the Security Flaw
Now, he said, the pictures stored on the servers appear to get deleted after 24 hours, which limits the number of pictures exposed at any given time.
However, a hacker could still exploit the vulnerability he discovered each day and download the contents of every photo and video on the server.
Similar Security Incidents in the Past
Meanwhile, this incident is the latest example of a company that, at least for a time, was not implementing certain basic and widely accepted security practices, such as rate-limiting.
Consequently, last month, TechCrunch reported that government contractor giant Tyler Technologies was not rate-limiting its websites used for allowing courts to manage their jurors’ personal information.
Therefore, this highlights the importance of implementing basic security practices to protect customers’ data.
Source: Link
Leave a comment