Photo Booth Website Flaw Exposes Customer Pictures

Photo Booth Company Exposes Customer Data Online

A security vulnerability on the website of a photo booth company is leading to the public exposure of customer photos and videos, as discovered by a security researcher.

The researcher, known as Zeacer, initially contacted TechCrunch in late November regarding the issue. He had previously reported the flaw to Hama Film, the photo booth manufacturer with operations in Australia, the United Arab Emirates, and the United States, in October, but received no response.

How the Vulnerability Works

Hama Film’s photo booths offer a dual functionality. They not only produce printed photos, but also upload customer images to the company’s servers.

Zeacer provided TechCrunch with examples of images retrieved from Hama Film’s servers, depicting groups of young individuals posing within the booths.

Lack of Response from the Company

Despite repeated attempts, Vibecast, the parent company of Hama Film, has not responded to messages regarding this security concern.

TechCrunch’s requests for comment have been ignored, and Joel Park, Vibecast’s co-founder, has not replied to a message sent via LinkedIn.

Ongoing Exposure of Data

As of Friday, the researcher confirmed that the security flaw remains unresolved, and customer data continues to be exposed.

Consequently, TechCrunch is deliberately withholding specific details of the vulnerability to prevent further exploitation.

Changes in Data Retention

Initially, Zeacer observed that photos were deleted from the company’s servers approximately every two to three weeks.

Currently, images are reportedly deleted after 24 hours, reducing the volume of exposed data at any given moment.

However, this does not eliminate the risk. A malicious actor could still exploit the vulnerability daily to download all photos and videos stored on the server.

Scale of the Exposure

Prior to this week, Zeacer reported observing over 1,000 pictures online associated with Hama Film booths located in Melbourne.

Broader Security Concerns

This incident highlights a recurring issue: companies failing to implement fundamental security measures, such as rate-limiting.

TechCrunch recently reported a similar vulnerability with Tyler Technologies, a government contractor. Their juror management websites lacked rate-limiting, allowing attackers to potentially access juror profiles through automated scripts.

Rate-limiting prevents automated attempts to guess personal information, like dates of birth and identification numbers.

This latest case with Hama Film underscores the importance of robust security practices to protect sensitive customer data.