I got an email from Ryan N today describing a huge privacy leak in Photobucket - allowing anyone to look at anyone else’s private photos. Photobucket protects photos normally by password protecting them. However, as Ryan found, a username/password is not the only way to access the photos:
Here’s a random livejournal user’s “bucket”
as you can see it requires a login.
replace the subdomain with ‘pb5′ voila, you’re in:
As you can see, simply by looking at the exact same directory on another hostname allows you complete access to the user’s private photos. Allowing indexing is not always a bad thing - sometimes it’s a huge convenience. Other times it’s a huge privacy leak that can cause people a lot of trouble and pain. Who knows what private photos people store there? This is a great example of why you can’t think about applications the same way browsers do (same domain policy). Other servers can provide equal or better opportunity for exploitation and data leakage if they are somehow tied together. It’s best to explore all options when doing penetration testing. Nice find, Ryan!