The flaw in the Photobucket site, which revealed private photos to a determined adversary, has been fixed.
Popular photo-sharing site Photobucket
has issued a fix for a hole allowing people to access photos in albums users have marked as 'private'.
According to CNet
, which appears to be taking the credit for alerting Photobucket about the issue, the problem was discovered by a Vancouver (that's California, not Canada) computer tech by the name of Byron Ng. Armed with the user identifier of a Photobucket member and the knowledge of at least one filename in their private album – by far the hardest bit of information to glean – it was possible for users to manually enter a URI for a private album page, and from there navigate to any other file within the allegedly 'private' album.
After CNet contacted Photobucket in the morning on Monday, a fix was rolled out that prevented such known-filename attacks that afternoon. Whether that's because
CNet contacted Photobucket I leave to the reader to conclude; a statement from News Corp, the corporate overlords of both Photobucket and popular social networking site MySpace, simply states that the issue has been resolved “less than 24 hours after the site was made aware of the issue
,” which certainly sounds like CNet was beaten to the punch.
While improved privacy on such sites is to be applauded, I can't help but question why
someone would upload their pictures to a photo-sharing
site and then mark them as private? Perhaps I'm just not switched on to this Web 2.0 world we live in, in which we have ever-increasing amounts to show to an ever-shrinking audience.
What's your take on this – was it a critical flaw in the design of the site, or do you agree that 'private' photos should never have been uploaded to a third-party website in the first place? Share your thoughts over in the forums