A photo booth manufacturer is exposing customer photos and videos online because of a basic security flaw in how its website stores files, according to a security researcher who says the issue remains unresolved months after being reported.
Researcher Finds Public Access to Stored Photos
The researcher, known as Zeacer, told TechCrunch he discovered the vulnerability and reported it to Hama Film in October. After receiving no response, he contacted TechCrunch in late November. Hama Film operates photo booths through franchises in Australia, the United Arab Emirates and the United States.
Zeacer shared sample images obtained from Hama Film’s servers that showed groups of young people posing in photo booths. In addition to printing photos on site, Hama Film’s booths upload customer images to company servers, where the files were accessible due to the flaw.
Company Has Not Responded to Disclosures
Hama Film is owned by Vibecast. Zeacer said neither Vibecast nor its co-founder, Joel Park, responded to his attempts to disclose the issue. Vibecast also did not reply to multiple requests for comment from TechCrunch.
As of Friday, Zeacer said the vulnerability had not been fully addressed and customer data remained exposed. TechCrunch said it is withholding technical details of the flaw to avoid enabling misuse.
Scope of Exposure and Partial Changes
When Zeacer first identified the issue, he said images appeared to remain on the company’s servers for two to three weeks. He later observed that files now appear to be deleted after about 24 hours, reducing the volume of exposed content at any one time.
Despite the shorter retention period, Zeacer said an attacker could still exploit the flaw daily to download all photos and videos stored on the servers. Before the recent change, he said he observed more than 1,000 images publicly accessible from Hama Film booths in Melbourne.
Broader Security Context
The incident adds to recent examples of organizations failing to apply widely used security protections. TechCrunch reported last month that U.S. government contractor Tyler Technologies did not implement rate limiting on websites used by courts to manage juror information, allowing automated attempts to access personal profiles.
Featured image credits: Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.