A glitch in a photo booth maker’s website exposes customers’ photos

A company that makes photo booths has exposed photos and videos of its customers online, thanks to a minor glitch on its website where the files are stored, according to a security researcher.

The researcher, who uses the name Zeacer, alerted TechCrunch to the security issue in late November after reporting the vulnerability in October to Hama moviea photo booth manufacturer with a franchise presence in Australia, United Arab Emiratesand USbut I did not receive a response.

Zeacer shared with TechCrunch a sample of images taken from Hama Film’s servers, which clearly showed groups of young people posing in photo booths. Not only do Hama Film’s kiosks print photos like a typical photo booth, but the kiosks also upload customer photos to the company’s servers.

Vibecast, which owns Hama Film, has not yet responded to his messages alerting the company to these problems. Vibecast also did not respond to several requests for comment from TechCrunch, nor did Vibecast co-founder Joel Park respond to a message we sent via Linkedin.

As of Friday, the researcher said the company had not yet fully resolved the security flaw and was continuing to disclose customer data. As such, TechCrunch is withholding specific details of the vulnerability from publication.

When Zeacer first discovered the flaw, he noted that photos seemed to be deleted from the photo booth maker’s servers every two to three weeks.

Now, photos stored on servers appear to be deleted after 24 hours, limiting the number of photos exposed at any given time, he said. But a hacker can still exploit the vulnerability he discovers every day and download the contents of every photo and video on the server.

Before this week, Zisser said he had at one point seen more than 1,000 photos online of Hama Film kiosks in Melbourne.

This incident is the latest example of a company that was not, at least for some time, implementing some basic and widely accepted security practices, such as price caps. last month, TechCrunch reported that government contracting giant Tyler Technologies It was not limiting the rate of its websites used to allow courts to manage their jurors’ personal information. This means that anyone could break into any juror’s personal file by running a computer program capable of guessing their date of birth and their easy-to-guess numerical ID.