bit-tech.net

Photobucket privacy hole patched

Photobucket privacy hole patched

The flaw in the Photobucket site, which revealed private photos to a determined adversary, has been fixed.

Popular photo-sharing site Photobucket has issued a fix for a hole allowing people to access photos in albums users have marked as 'private'.

According to CNet, which appears to be taking the credit for alerting Photobucket about the issue, the problem was discovered by a Vancouver (that's California, not Canada) computer tech by the name of Byron Ng. Armed with the user identifier of a Photobucket member and the knowledge of at least one filename in their private album – by far the hardest bit of information to glean – it was possible for users to manually enter a URI for a private album page, and from there navigate to any other file within the allegedly 'private' album.

After CNet contacted Photobucket in the morning on Monday, a fix was rolled out that prevented such known-filename attacks that afternoon. Whether that's because CNet contacted Photobucket I leave to the reader to conclude; a statement from News Corp, the corporate overlords of both Photobucket and popular social networking site MySpace, simply states that the issue has been resolved “less than 24 hours after the site was made aware of the issue,” which certainly sounds like CNet was beaten to the punch.

While improved privacy on such sites is to be applauded, I can't help but question why someone would upload their pictures to a photo-sharing site and then mark them as private? Perhaps I'm just not switched on to this Web 2.0 world we live in, in which we have ever-increasing amounts to show to an ever-shrinking audience.

What's your take on this – was it a critical flaw in the design of the site, or do you agree that 'private' photos should never have been uploaded to a third-party website in the first place? Share your thoughts over in the forums.

14 Comments

Discuss in the forums Reply
iwog 15th July 2008, 13:32 Quote
meh, never had any private photos on there anyhow. Is just a place where I dump anything I want other people to see
Timmy_the_tortoise 15th July 2008, 13:39 Quote
I keep my "private" photos on an encrypted USB key, under lock and key, in an electromagnetic safe, in my basement, behind a solid diamond door, guarded by two mahcine gun toting facial recognition cameras.
wuyanxu 15th July 2008, 13:42 Quote
i found that out also.

i usually only upload Untitled.jpg file because im too lazy. first uploaded a Untitled.jpg, then deleted it, and a few days later, uploaded another Untitled.jpg. because the first one doesn't exist, the latter gets put on without renaming. going back to a forum, i discovered that the newly uploaded photo gets shown instead of the not-found mini-picture.
Firehed 15th July 2008, 14:26 Quote
I don't often use the privacy features, but you're being awfully short-sighted if you don't see why they exist, Gareth. I'm not talking about throwing porn on the site, but photos from a private event for example that you want to share with the people that were there but nobody else are a great candidate. Of course everyone will use it differently (and many, not at all), but I find it quite handy to know its there even if it's something I'd rarely touch.
Timmy_the_tortoise 15th July 2008, 15:05 Quote
Quote:
Originally Posted by Tile
It's absolute stupidity to host pictures of your important events on a 3rd party host.

What? You think everyone has their own personal (1st party) host server which they can upload to and their friends around the world can access at any point?
Arkanrais 15th July 2008, 15:19 Quote
what? this trick never worked for me. I've gotten the URL from many peoples photobucket accounts using the 'copy image location' option on FF,then paste it into the address bar and take off the file name, leaving the album name, leading me to their album. Never works for private ones; as a forum I'm an admin on has VIP and Staff tags that are made of pictures so they can be placed under peoples avatars, and these pictures are located in an album set to private (presumably so people cant go sneaking through the album as the forum is a 'membership by approval from staff' type deal).

simply put, setting your album to 'private' means people can't browse it, but if you embed an image in a forum from that album, everyone can see it. you can also give people the password to the album so they can browse it, without all the riff-raff seeing what's inside.
frontline 15th July 2008, 15:28 Quote
I only upload pics to photobucket and imagshack that i'm going to link to webforums and the like.
Blademrk 15th July 2008, 15:29 Quote
I would have thought setting an album to private means that you can share the photos in that album with only the people you actualy want to share that album with.
Timmy_the_tortoise 15th July 2008, 15:35 Quote
Quote:
Originally Posted by Tile
Quote:
Originally Posted by Timmy_the_tortoise
What? You think everyone has their own personal (1st party) host server which they can upload to and their friends around the world can access at any point?

You're totally wrong here because some pictures are absolutely private and no responsible person would host them on a 3rd party hosting service that can be easily hacked.

I'm sorry, I don't understand your argument.
Cheapskate 15th July 2008, 17:52 Quote
I just want to know when they are getting rid of all the bloat. They load everything but the 'glitter effect' applet on the damn pages. I have a high speed connection, it shouldn't take a full minute to load a page.
Arkanrais 15th July 2008, 18:02 Quote
Quote:
You're totally wrong here because some pictures are absolutely private and no responsible person would host them on a 3rd party hosting service that can be easily hacked.
I didn't realize hackers were after those photos of me being drunk at an office part or someone elses photos of their weight loss progression, or someone giving birth.
you know you can use sites like photobucket to store pictures so that you can get them from any other computer that has internet access (I know USB memory sticks make this somewhat redundant). you can also use photobucket for backing up your photos as it hold 1GB (I thought it was 5GB, but just checked and it's now 1GB :\ ). there is a lot you can do with it aside from the standard storage for forum images.
Timmy_the_tortoise 15th July 2008, 18:46 Quote
Quote:
Originally Posted by Tile
Backing up photos on Photobucket - no way because the pics can be deleted during maintenance.

If there is an accident which The Photobucket team will promptly apologize for..

That's like saying backing up Government data on a(n ordinary) hard drive is a no-go because the data can become corrupted during defragging.
1ad7 16th July 2008, 15:24 Quote
Ive known this for a long while...... hmm I should of said something ehh?
Redbeaver 16th July 2008, 19:35 Quote
Quote:
Originally Posted by Timmy_the_tortoise
Quote:
Originally Posted by Tile
It's absolute stupidity to host pictures of your important events on a 3rd party host.

What? You think everyone has their own personal (1st party) host server which they can upload to and their friends around the world can access at any point?

no, but i think if u need to show your friends a bunch of important event pictures, you can just email them or burn them a CD or lend them ur usb kit or somethin... anything BUT 3rd party online host that are accessible to the public...

IMHO anyway...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums