Are you still storing your private photographs and videos on the internet? How much trust are you putting in online companies to keep unauthorised eyes from seeing your personal snapshots and intimate home movies?
It’s a question that keeps arising, and is again this week following news that two men have been arrested for allegedly creating. marketing and selling a tool designed to allow unauthorised access to images and videos stored on Photobucket.
The tool, imaginatively entitled Photofucket, was allegedly sold by 39-year-old Brandon Bourret of Colorado Springs, Colorado and Athanasios Andrianakis, 26, of Sunnyvale, California, to allow people to circumvent the privacy of Photobucket users.
To understand just what the Photofucket tool was doing, it’s important to understand how Photobucket works.
When you create an album on the Photobucket website, you can give it one of three different privacy settings: public, private or password-protected.
Public Photobucket albums are visible to the world, including search engines, and anyone can access your album and browse your photos.
Private albums on Photobucket aren’t listed on the site’s search engine, or in third-party search engines like Google. However, Photobucket users can share photographs in their private album with others, without giving access to the entire album.
Finally, password-protected Photobucket albums are not searchable on the site or in Google, and require a password to view their contents. Guest passwords can be shared with other viewers to allow access to password-protected albums.
Marketing material for the questionable Photofucket tool makes clear that it can raid a private Photobucket album, and attempt to download its entire content by guessing filenames:
“Photofucket is a client software application designed to fusk content from private Photobucket albums and download content from public Photobucket albums.”
“If you have the password to a private account, Photofucket can download all the content from the album just as quickly and easily as if it were a public album.”
“Photofucket can attempt to download the content of a private album using a brute-force method called “fusking,” where the program tries to download content by guessing the names of files that might be in the private album.”
Furthermore, according to a Department of Justice indictment, Bourret and Andrianakis “used the Photofucket application to obtain guest passwords to Photobucket.com users’ password-protected albums” and then made those credentials available to purchasers of Photofucket.
The authorities claim that Bourrett paid Andrianakis via PayPal to develop the app, and discussed ways to circumvent Photobucket’s security.
Of course, a preferable course of action would have been to responsibly disclose any vulnerability to Photobucket so it could have been investigated and fixed, and perhaps a bug bounty could have been paid.
“Unauthorized access into a secure computer system is a serious federal crime,” said FBI Denver Special Agent Thomas Ravenelle in a Department of Justice press release. “The arrest of Brandon Bourret and his co-conspirator reflects the FBI`s commitment to investigate those who undertake activities such as this with the intent to harm a company and its customers.”
If convicted, the men face charges that could result in penalties of up to 10 years in prison.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024