Photobucket Hacker Devs Arrested For Stealing Private Photos, Passwords From Users

The market may be filled to the brim with image and video sharing websites, but one of the oldest ones, Photobucket, still proves to be a popular choice. As we're now finding out, though, it's a choice you may want to reconsider if you have an account with the service.

The US Department of Justice yesterday announced the arrest of two men responsible for developing and marketing software that would allow people to gain access to private photos attached to Photobucket user accounts. The software utilized a legitimate technique called 'Fusking', which enables you to fetch URLs en masse that follow a specific pattern; eg: IMG_1[1-999].jpg. A fetching method like this would be useless on most sites, but not Photobucket, thanks to its subpar security implementations.

Photobucket

The problem stems from the fact that Photobucket doesn't change the name of images uploaded to the service, and it also doesn't require a password for images that are directly linked, even if they reside in an album that does require a password. If someone links you to an image on their Photobucket account that looks like it could be part of a range, then all a user has to do is guess different URLs. For example, if IMG_1234.jpg exists, then IMG_1235.jpg could, too.

What a tool like the aforementioned one could do is let the user specify a Photobucket account, and let the program take over - it'd run through a variety of common image names and see what it can pull. It goes without saying that many on Photobucket probably have images uploaded to the service that they'd like to keep private, and only because of the service's horrible security practices, they wouldn't be very private at all.

For their actions, the creators of this Photobucket-specific tool are being charged with conspiracy, computer fraud, aid and abet, and access device fraud.

If Photobucket's horrendous security has rubbed you the wrong way, I'd recommend giving Imgur a try, as it's a simple service that has no storage limits. Alternatively, you may also want to consider cloud services, such as Google Drive, Dropbox, or OneDrive. Those may not be as convenient, but they'll prove far more secure.


Via:  DOJ
Show comments blog comments powered by Disqus