Photobucket Allows Public Access To Private Photos
I got an email from Ryan N today describing a huge privacy leak in Photobucket - allowing anyone to look at anyone else’s private photos. Photobucket protects photos normally by password protecting them. However, as Ryan found, a username/password is not the only way to access the photos:
Here’s a random livejournal user’s “bucket”
http://img.photobucket.com/albums/v462/glass0rthodoxy/
as you can see it requires a login.
replace the subdomain with ‘pb5′ voila, you’re in:
http://pb5.photobucket.com/albums/v462/glass0rthodoxy/
As you can see, simply by looking at the exact same directory on another hostname allows you complete access to the user’s private photos. Allowing indexing is not always a bad thing - sometimes it’s a huge convenience. Other times it’s a huge privacy leak that can cause people a lot of trouble and pain. Who knows what private photos people store there? This is a great example of why you can’t think about applications the same way browsers do (same domain policy). Other servers can provide equal or better opportunity for exploitation and data leakage if they are somehow tied together. It’s best to explore all options when doing penetration testing. Nice find, Ryan!



July 13th, 2007 at 3:05 pm
This certainly was a nice find, and something worthy of worsethenfailure.com. I should make something to just crawl everything, I’m lazy
July 13th, 2007 at 3:06 pm
just grab a bunch of users, and pump them through wget -r
July 13th, 2007 at 3:14 pm
I would like to refer you to http://www.awesomeandrew.net/index2.php?content=pbt, which is a collection of usernames I have archived using similar methods.
July 13th, 2007 at 3:17 pm
nice. one boob for you:
http://pb5.photobucket.com/albums/v320/amyandthemoon/Cam2778-1.jpg
post them here
July 13th, 2007 at 3:30 pm
NSFW alert!
July 13th, 2007 at 4:14 pm
I had written a program in .NET for archiving images in PhotoBucket accounts, but had purposely stayed away from adding the functionality of using this method as not many people knew of it, and it would have easily been disclosed by simply analyzing the requests made by my program. Because this vulnerability is public now I may add it to my program, but there’s the chance it could be patched by PhotoBucket, which makes me slightly reluctant. To those interested however I offer an archiving program I entitled, “ScuzBucket Dumper”, that I released last month. http://awesomeandrew.net/index2.php?content=scuzbucket
July 13th, 2007 at 7:52 pm
Wow, the newb level went through the roof with this post. The point is not to exploit it. The point is to show the vulnerabilities so we can all learn from them. All I talk about are exploits all day long. If this is the one thing that you are worried about being fixed of alllll the things I talk about you are focusing on completely the wrong types of exploits, or are completely ignorant of the real exploits out there. This is absolutely nothing compared to what I usually talk about. But thanks for writing in!
- Edit - Moderating off the newbs. Thank you for your love and affection.
July 13th, 2007 at 8:38 pm
They’re sad because this was an easily used hole to see some random boobies.
Looks like it’s fixed already anyway.
July 13th, 2007 at 9:14 pm
This has been fixed
July 13th, 2007 at 9:19 pm
Haha, well I’m sure there are plenty of other places to find porn out there, and likewise I’m sure there will be plenty more holes in photo hosting services. It was a trivial fix, so it’s no surprise they did so quickly.
July 13th, 2007 at 9:26 pm
Can you think of any other PB exploits off the top of your head?
July 13th, 2007 at 9:54 pm
That’s probably a better question for someone who actually uses the site.
I’m sure other people have found exploits in their services and other photo hosting services if you ask around.
July 13th, 2007 at 10:20 pm
well if you hear anything! =]
July 13th, 2007 at 10:44 pm
I always seem to….
Btw, I should point out that it’s interesting that people were upset about me talking about this. If I hadn’t said anything no one would have known about it - making it not useful. As I did tell everyone about it, it got fixed and then it’s also un-useful. Either way it’s not useful. I like to call it logic.
July 14th, 2007 at 12:46 am
Well i think you are wrong there,,Because your not the only one that found out about this little trick
So it was fun while it latsted
July 14th, 2007 at 4:18 am
I noticed that the image search is vulnerable to XSS :-/
poorthobucket
July 14th, 2007 at 4:37 am
They fixed in between 3 to 4 am last night (UK time).
But there is saying….
Security is futile and you will be owned sooner or later.
Photobucket must have received so many complaints and lawsuits, because in fact they did expose almost all their users’ privacy. Protecting people’s privacy should have been the main priority and a constant goal of any service as such. Maybe we’ll read in news: “The Photobucket spokesman said: blah blah formal excuse…” This wont help anything since the damage was already done, and a serious bunch of users wont use their service again.
July 14th, 2007 at 8:56 am
For the people who DID know about it, this is probably as close as they’ve come to zero day.
Seems the only people who wouldn’t want you talking about it are the people who already knew about it. Hence, it was useful for them but you made it un-useful.
Either way it’s fixed
July 14th, 2007 at 9:58 am
Looks like there were some older exploits in /svc/api.php (those of you whining about your loss of precious lolboobs or whatever probably already knew about it).
If this ‘pb5′ exploit was around as long as some messageboard claim it was, then I HIGHLY doubt the API is anywhere near secure.
You may want to try digging around the flock source code.
July 14th, 2007 at 2:14 pm
- more moderation required -
It seems that more people knew about this (which wasn’t clear to me in the email I received). Sorry for “ruining” things for people who apparently were abusing this system for a while. Alas… Let me make this clear to everyone - if you email me with exploits and say post them I will. So don’t blame _me_ that someone else asked me to post something on their behalf. If I hadn’t posted it for him someone else would have. Logic, my fiends, logic. Get over it, it’s fixed.
July 14th, 2007 at 5:50 pm
Woohoo…
I missed something.
Bottom line is: don’t store your private pics anywhere.
July 14th, 2007 at 7:23 pm
Nice finding, seems that the people concerned have fixed the bug!
July 14th, 2007 at 8:42 pm
2 things…
1. is the tos’d exploit still working, I was under the impression they were 2 separate exploits.
2. There is another way, you must have patients though. It is very easy but time consuming, And it isn’t an exploit. Do your homework people.
July 14th, 2007 at 9:41 pm
RE #1, AFAIK this was NOT the TOS exploit, as it was not giving access to TOS’d images.
July 14th, 2007 at 10:50 pm
Its not as easy as the bug you wrote about, but their login is susceptible to xss as well. So you’d just have to social engineer someone to login with a username containing the xss and then you could just have their password.
July 15th, 2007 at 1:38 am
yes, there is no garente. That is not what i’m referring too. I’m at a 100% success rate with my method, and It has nothing directly to do with the owner of the bucket.
July 15th, 2007 at 3:18 pm
You know, all you’ve gained from posting this publically is spoilt the fun for people who might have already found this and wanted to look around etc.
I know that as a whitehat you gain some kind of buzz by being the little granny to inform people of their flaws, but at the end of the day nobody cares, for if it is not public information there is in effect no problem anyway.
July 15th, 2007 at 8:33 pm
it doesnt work
July 16th, 2007 at 9:25 pm
I’m really new to this sort of thing and didn’t realize photobucket had exploits like this. does this happen often, or is this somekind of fluke?
July 16th, 2007 at 11:20 pm
Actually, this hack was required in order to access the TOS hack so the TOS hack is also no longer available. Thanks again for posting it and ruining it.
July 17th, 2007 at 9:51 am
Hey rsnake,
I checked junk and all that and nothing was there for email activation. I tried to email you but couldn’t find your address anywhere, so sorry about the comment. Do you think you could manually add me as a user so i can post on sla.ckers.org?
Thanks alot,
navairum
July 17th, 2007 at 11:55 am
@Anonymous Coward - You’ve got some crazy logic there my friend. Guess you’ll need to find a new exploit.
@Iceman - from what I am aware of there has been a number of flaws found in their software.
@Germy - No idea what a TOS hack is. I have never used photobucket - I’m not up on the l33t hacks in that service. I know my teenaged nephew used that service at some point - I figured it was only for teenagers. I’m not sure what I ruined other than disclosing something someone else was going to disclose anyway if I hadn’t. Read the post - I was not the one who found it, I was asked to disclose it on his behalf. I had no idea anyone was using it, therefor you are getting mad at my ignorance, rather than anything I did to intentionally hurt you or anyone else. Please look elsewhere for scapegoats.
July 17th, 2007 at 3:50 pm
rsnake, is there an email i can reach you at? i have a few questions maybe you can help me with? thank you!
July 17th, 2007 at 9:21 pm
is it seriously working for you guys?…cause its not for me
July 17th, 2007 at 10:10 pm
navairum you can email me for access or try another email address as some services block our mail server.
sl at this domain, or rsnake who is h at this domain (base domain ckers.org)
July 18th, 2007 at 6:01 am
Just an FYI:
Google for the persons name…
http://www.google.com/search?q=%2Fglass0rthodoxy%2F&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official
Then view the cache…
http://216.239.51.104/search?q=cache:46W20lNmYrYJ:pb5.photobucket.com/albums/v462/glass0rthodoxy/+/glass0rthodoxy/&hl=en&ct=clnk&cd=1&gl=us&client=firefox-a
Then view the images…
http://pb5.photobucket.com/albums/v462/glass0rthodoxy/0a4a4112.jpg
Works for this example…don’t know if it works for others?
July 18th, 2007 at 7:13 am
@iBMX - no the hole is fixed.
@bob and navarium - both id and my email addresses are located on the about us page linked to from the homepage. We don’t exactly hide our addresses.
@SF - very good point… There’s no reason Google wouldn’t have cached some amount of the private photos since the robots.txt file doesn’t disallow indexing.
July 18th, 2007 at 6:15 pm
how do you view the cache?
July 18th, 2007 at 7:37 pm
hello–I’m really hoping that someone will know the answer to this. anytime I search for a photobucket on google to check out its cache, google doesn’t come up with any results. this isn’t just for one or two photobuckets either, it’s for anything I look up. am I doing something wrong? or am I just that unlucky?
July 18th, 2007 at 7:47 pm
I can’t get the google search to work for anything else, I just get te no matches found page
July 18th, 2007 at 8:44 pm
http://www.google.com/search?q=site:pb5.photobucket.com
real useful tip… or not
July 18th, 2007 at 9:57 pm
What’s up with that? bunch of dirty voyeurs!
July 19th, 2007 at 7:47 am
Nice find… stopped working fairly recently though.
Hehe it was fun while it lasted
July 19th, 2007 at 8:25 am
Index of /albums/v462/glass0rthodoxy is all that came up when I clicked your link phpwin
July 19th, 2007 at 10:18 pm
@RSnake - By TOS hack I mean photobucket pulls pictures that violate their terms of service, hence the acronym TOS. The hack allowed access to the server where photobucket stored the pictures it pulled. It was a goldmine of naughty sh*t.
Just because someone sends you something, doesn’t mean you have to post it. Would you jump off a bridge if I sent you an email requesting it? Sure, it may have been posted eventually, but your the guy that posted it, so yes, it is your fault that the hack was patched because you posted it first. What’s the point of a hack that doesn’t work anyways? Why would you post any hack on the internet? Photobucket thanks you for being their bitch.
July 20th, 2007 at 11:16 am
@Germy - Thanks for the explanation on the TOS hack, I don’t really care and didn’t ask, but thanks anyway. People like you crack me up. Thanks for the laugh.
July 22nd, 2007 at 12:55 pm
I can’t believe there are people out there who, after intentionally invading someone’s private photo’s - regardless of whether there was an omgz saucy hack or not - would then have a hissy fit when the patch was fixed.
Jezz, I thought that better security on web pages that hundreds of users use would be a good thing; instead people are becoming annoyed that they can’t gawk at a pair of breasts. Damn have my knickers been twisted the wrong way tonight [in a non-crude way!]
July 22nd, 2007 at 9:52 pm
Germy… if you can, how did you find out what server the tos images were stored on? obviously there are hundreds of servers i.e. img. i57, s45, vid39 and so on. i didnt realize that pb actually stored the removed images. they must just store them for a particular ammount of time in case someone complains about them being removed.
cheers mate.
July 23rd, 2007 at 10:57 pm
@estar - actually, i think they store them for legal reasons. i’m not going to say the file path here cause some rat will f*ck it up.
@snake - i mean is this a hackers site or a security site? the name is ha.ckers.org. If your site is for ‘hackers’, then why ruin our fun? why is it your job to expose security vulnerabilities? is this a security site? why don’t you shave you sideburns and go beat up a black guy you pig.
@emma - i like to gawk at breats, so f*ck you. Were not here to increase security on corporate web pages, were here to exploit them. the name of this site is hackers.org, not pussies.net, so pull your twisted knickers out of your fat-ass and mind you own fuc*ing business. Anyone who posts private pictures to a website is f*cking retarded anyways.
July 24th, 2007 at 4:38 am
Germy… no worries mate, respect your reasoning , i’ll keep on trying to work this one out myself! cheers
July 24th, 2007 at 8:35 am
@germy - “i mean is this a hackers site or a security site? the name is ha.ckers.org.” No, the name is “ha.ckers.org web application security lab.” We do both - we find vulnerabilities and we talk about fixing them. You asked “why ruin our fun?” I’m not sure how many times I have to say this, but I had no idea anyone was actually using it. I didn’t intentionally disclose something I felt was in use - if I had I surely would have mentioned that fact (as I did in the phisher interview for instance).
The thing I find confusing is the fact that that you actually think this is a “hack.” An open directory is not a hack. This is actually one of the stupidest posts I’ve ever done - except for the fact that it affects so many people.
July 24th, 2007 at 6:37 pm
It seems there is another exploit using Feed to gain a list of filenames from private albums. feedHostname feed.rss
July 24th, 2007 at 8:45 pm
So does this work anymore? or is it not possible to view private albumbs on photobucket any more?
July 24th, 2007 at 11:32 pm
@Tom: I take it you haven’t actually confirmed that?
I experimented with that approach and didn’t have any luck. PhotoBucket returns an RSS feed for public albums, and a blank page for private albums. Simple as that, unless there’s some trick to it.
July 25th, 2007 at 2:46 am
Re:Tom .. How do you use this exploit?
July 25th, 2007 at 8:59 am
# Tom Says:
July 24th, 2007 at 6:37 pm
It seems there is another exploit using Feed to gain a list of filenames from private albums. feedHostname feed.rss
can you explain what you are talking about? where can i get this other exploit. you can e-mail it to me. & i swear i wouldnt tell a soul. esp if i knew itd be patched if i told the world. lol. but please help me with this other exploit.
July 25th, 2007 at 10:05 am
oh to TOM
the feed only works on public albums
July 25th, 2007 at 6:22 pm
Ha everytime I find a hack for photobucket I’m a day late and a dollar short, those things get patched quite quickly
July 26th, 2007 at 12:28 pm
Send 100$ each and i’ll teach you all the l33t stuff how to steal pictures from a “photobucket”. For an additional 50$ i’ll throw in a picture scraper for flickr!
good stuff, the first 10 get a 10$ discount so hurry up! 
July 26th, 2007 at 1:35 pm
i’ll paypal the $100. email me at mkst33@yahoo.com
July 27th, 2007 at 12:33 am
damn research the shit yourself the right way and you wont have to pay nobody no 100 bucks. i always find the exploit.. but i never find it early enuff to enjoy it.. but sally u gotta be a fool to pay a fool 100 dollars. keep ur money and research the hell outta google.. u will stumble across something.. or just stick to the fusker. damn desparate asses!
July 27th, 2007 at 3:15 am
Fools, just download ‘Teleport pro’ with utorrent, and you’ll copy the whole site in a few hours. It’s called scraping & snatching all legit.
July 27th, 2007 at 5:50 am
Teleport Pro still requires you to enter a user/pass for private content. Is there a way to get around this? What settings are needed? Thanks!
July 27th, 2007 at 6:19 am
@Ronald van den Heetkamp you really don’t know anything about PB, don’t you?
It’s was great if an Hacker like you could spend some time on it. PB is like a big boat full of holes… Go Go boy and make us all happy;)
July 27th, 2007 at 10:29 am
somebody, hack this one:
http://smg.photobucket.com/albums/v634/chameleonmarke/
July 27th, 2007 at 4:08 pm
not looking for handouts but would greatly appreciate a gentle nudge in the right direction to uncover exploits myself. As I would expect finding them would be the most fun and intrieging. The spoils would seem much nicer knowing you did it yourself.
August 1st, 2007 at 9:42 am
OMG! These comments are so full of FAIL it hurts.
@RSNake - where the hell are all these people coming from? It seems you got linked from some sort of clueless n00b nexus or something. I’m just wondering what is it. lol
August 1st, 2007 at 6:10 pm
August 3rd, 2007 at 2:57 am
http://img.photobucket.com/albums/v634/chameleonmarke/Fam/1241537422_l.jpg
http://img.photobucket.com/albums/v634/chameleonmarke/Money/6427805462.jpg
August 3rd, 2007 at 3:02 am
i just posted that thing for that pb account the person asked for, i was just thinking its prolly better not to post it, do what you will though.
thanks
August 4th, 2007 at 4:20 am
does this actually work? Is there a way to see people photos on private photobuckets?
Cos when i tried to do it, it wouldnt work. =[
August 4th, 2007 at 1:11 pm
does anyone hav a hack for this, what really works, i soo wanna hack my ex pb account, 2 get back at her & delete the pics us :D, if anyone can help email me theside118@gmail
August 4th, 2007 at 1:11 pm
theside118@gmail.com even
August 5th, 2007 at 8:47 am
some one hack this account plz nigga stole my pics how gay
http://smg.photobucket.com/albums/v336/XDavonX/
August 5th, 2007 at 11:16 am
there’s a new exploit. and it hasn’t been patched yet as far as i know..
so keep trying.
August 5th, 2007 at 3:29 pm
new exploit has been patched how lame. everyone move a long nothing to see here.
August 5th, 2007 at 7:59 pm
Wow. I didn’t even realize this blog was still being commented on. As far as “exploits” go there are still at least two issues that continue to work.
August 6th, 2007 at 8:04 am
how do you guys go about figuring these exploits? yes, i am an idiot, i know nothing about hacks and whatnot, but i’d really love to know. i’m sure the same thing has been asked already but if there’s any help anyone could give, it’d really be appreciated. i’ll let you know my email address if you’re willing to talk about it privately!
August 6th, 2007 at 10:34 am
when are you gonna release those exploits? or are you not
August 6th, 2007 at 4:54 pm
yeah…. one of those exploits is already patchedup… only took a few days. thanks fuckers
and we find the exploits cause we have half a brain, know how to read, and dont count on someone else doing work for us, now you can go eff yourself too buddy…
August 10th, 2007 at 12:06 am
ok guys, i could reallllly use some expertise here, im a complete moron when it comes to anything to do with this kinda stuff. But — i’m decently computer savy, so walking me through this wouldn’t be too difficult.
i am going away to the bahamas in 2 days for my 3 year anniversary, and i could really use someones help. i was putting a collage together for my girlfriend, and stupid me stored ‘naughty’ pictures on photobucket.. i thought it’d be cool and all since my account is private. but there HAS to be a way to get them back..
can someone PLEASE help me with this? i’d reallllly appreciate it beyond belief.
my email is sportz03@gmail.com
August 10th, 2007 at 5:11 pm
That pb5 thing does not work
August 10th, 2007 at 7:06 pm
I could really use these exploits myself. If you could, please send them to yousaywhatisay@yahoo.com
August 10th, 2007 at 9:22 pm
I dunno where to post this question and have tried other none sucsessful places,
I am banned from a forum and cant get in,a proxy server does not help as you have to have a specific username and password that matched your username and password of the place,
i.e you play on isnooker.com and to join the forum you need to have the same password/username that you signed upto the game with otherwise you can not read the forum,i was banned so cant get back in,
Can anyone help?
August 14th, 2007 at 8:14 am
C’mon
I want the exploit
theswollenboy@yahoo.com
August 17th, 2007 at 1:47 am
this page has been linked to on Digg, that’s where all your morons are coming from.
August 18th, 2007 at 6:31 am
Maybe instead of posting the exploits and whatnot online, just set up a hotmail account with all the emails address of people that want it stored to it as contacts and just email it to them? Maybe then they won’t get pached so quickly.
October 2nd, 2007 at 1:19 pm
I totally agree that if people find these so called ‘exploits’ they should not tell everyone and their sister about them since that does lead to the patching up really quick like . In other news tho, i would like to know how people ’stumbled’ upon these loopholes. I obviously don’t know enough about this stuff. Could someone point me in the right direction as in ‘how to guides’ or even what to search for so i could learn how to find my own holes?
Thanks,
A-team
November 28th, 2007 at 6:17 pm
A safer alternative to photobucket is http://www.myotherdrive.com. Private files are private, and sharing is done either publicly or to groups of friends you define. Oh yeah, more space, hyperlink access, and bulk uploads make this site a real contender.