Cenzic 232 Patent
Paid Advertising
web application security lab

Another Photobucket Locked and Private Directory Disclosure Issue

I was really hesitant to post this for a few reasons. The first being the sheer number of responses to the last photobucket photo disclosure issue I posted. The second is that really, I have never used photobucket, so don’t particularly care about fixing issues in their system other than the fact that I know there are a lot of people who would probably appreciate not having their private pics all over the Internet. I would have used responsible disclosure, but I was asked to post this and also I tried that last time with Photobucket and didn’t get any response, so I don’t think there is anyone manning the blackhole that my email apparently went into. I was asked to post this by “Anon” who was very concerned about this being live as soon as possible. Apparently the photo disclosure issue been around for more than a year. The email has been snipped and modified in places to hide the identity of the person who sent this to me.

Hi RSnake, there’s a new PhotoBucket vulnerability which has actually be around for about a year now, which allows access to “Private” PhotoBucket accounts. Please publically disclose this on ha.ckers.org.

The vulnerability lies in an XML file, which is stored in the account, which is located on an IP address that resolves to PhotoBucket.com. For instance, http://s0006.photobucket.com/albums/0006/pbhomepage/, which is the PhotoBucket example account, can be changed to http://66.11.55.160/albums/0006/pbhomepage/.album.xml, which displays an XML file displaying all paths, images, videos, and slideshows. It has access to ALL accounts no matter if they are locked or not. By navigating to http://66.11.55.160/albums/0006/.album.xml instead you will find an XML file containing a list of users’ accounts that are available on the selected server.

Again please disclose this immediately, and anonymously (no mention of me please), so that the issue will be patched.

So there you have it, folks. All Photobucket photos marked as private has been visible for a year to at least the people who found out about this issue and didn’t report it. “Anon”, who forwarded this to me felt it should be closed immediately. Hopefully this too is fixed rather quickly, like the last one was. Let the onslaught of comments begin.

26 Responses to “Another Photobucket Locked and Private Directory Disclosure Issue”

  1. Kyran Says:

    Ah, I had known this had existed but not the actual exploit.
    Anyways, it seems I am getting a forbidden when trying to access any of the album.xml’s now.

  2. Le Says:

    Doesn’t work for me =(
    Page not found is what i got

  3. Shadam Says:

    Well that was patched quickly. Or so it seems at least.

  4. RSnake Says:

    Wow, looks like it’s already fixed. Lightning fast. Whomever read that and fixed it please give me a shout offline. I’d be happy to disclose these to you personally, but your current mechanisms for reporting don’t appear to work at all.

    2 hours and 5 minutes. Very impressive.

  5. Le Says:

    Man … they kicked if off so fast=(

  6. ///sm Says:

    wtf man, this has got to stop, you killed it within a couple of hours, does this really help anyone?

  7. RSnake Says:

    I deleted some comments. To answer the above question, yes it helps all the people who would have had their photos stolen. Sorry, I thought that was obvious.

  8. Flimmer Says:

    Some of you kids are pretty stupid, seriously.

    Photobucket is not secure because they don’t need to be. They even state they don’t do SSL because there is no reason for them to. They host pictures/movies (and offer products relating to those) and that is it. Security is not a reason to use it, or a concern of theirs.

    The reason these exploits are found and used to to get pictures that violate photobuckets terms of service anyway.

    That is the answer to why they don’t patch these things right away when they get them sumbitted on their site.

    Now, when a popular blog disclouses a vulnerability, it is embarassing. So they patch it to save face, and that is it. If its not widley known, then they don’t care to take the time to fix the bugs few know about.

  9. hackathology Says:

    doest work, they resovled it?

  10. GenericUsername Says:

    Good work RSnake, it’s nice to see you reporting these things to help get security flaws patched.

    (Even more so since -I- have a photobucket account….)

  11. Steve Says:

    This was posted on anon board..within 10 minutes it was closed by photobucket..

  12. NotRSnake Says:

    it helps everyone that would have had their pics stolen? why be an internet superhero? let the billion dollar company (photobucket) fix their issues. they don’t need some guy from a random website doing this stuff for them. they have a giant staff of programmers, etc. i mean no disrespect, but it’s just a little odd. why involve yourself in something that doesn’t have anything to do with you? that’s my question.

  13. bloodman Says:

    the guys who reported this bug is probably an unhappy employee :)

  14. RSnake Says:

    @Steve - so it wasn’t this website that got it closed? Interesting. Where’s the anon board?

    @NotRSnake - I agree, if I never saw the word photobucket for the rest of my life I’d be a happy person. So I encourage them to fix their holes so I don’t have to disclose any more issues.

  15. Ronald Says:

    It’s best to classify this as a privacy breach. But, it is a security issue. Users who submit their photos are giving PB their full trust. PB has to live up to this trust and secure it in order to gurantee privacy. Full security is impossible, but it’s little effort to make sure this won’t happen. ;)

  16. anathema Says:

    I could be wrong but I’m guessing this is the vuln from Awsome Andrew’s program,
    That got leaked onto Anon board (there is a post on his site about it)

  17. YEP.... Says:

    FLIMMER…. IS TOTALLY RIGHT IF PPL DIDNT POST ASS NAKED PICS THEN NO ONE WOULD HAVE N-E THING TO LOOK AT. THEY VIOLATE THE TERMS SO LET EM SUFFER. @ RSNAKE NO NEED TO BE THE SAVIOR.. DONT DISCLOSE ANYTHING ELSE.. JUST EMAIL IT TO ME!!! ILL HANDLE IT… JK. BUT SOME PPL ARE SUCH SNITCHES.. AND IM TALKIN BOUT THE GUY WHO TOLD RSNAKE!

  18. steve Says:

    @RSnake
    Nope it wasent this board that closed it :)
    The guy put up the url on a public board..http://www.anonib.com
    Mabey the same guy who emaild you?

    I dont now

  19. clamdoctor Says:

    steve, the url was posted on anonib several hours after it was posted here.

    seriously, anonib gets too much credit for this kind of stuff.
    this site is the reason the patch was closed, number one being that nobody has linked from digg to anonib for an exploit. same can’t be said about this site.

  20. anonifail Says:

    Actually clamdoctor it was posted on two different boards on AnonIB prior to being posted here, and it was only posted here after it had already been patched.

  21. clamdoctor Says:

    if you’re referring to buckethunters, then no, it was posted here prior to that.

  22. anonifail Says:

    There’s a time difference between this blog and anonib. I know this because I know who posted it.

  23. RSnake Says:

    @anonifail - I actually tested it prior to posting so it wasn’t fixed when it was posted, or maybe it was the second I posted, but not a few minutes prior when I verified. My post was made Tuesday, August 21st, 2007 at 2:00 pm PST.

  24. lisa Says:

    i can’t get to anything related to photobucket anymore. even when visiting friends’ myspace pages, any pics posted through photobucket doesn’t come up for me while it does for everyone else. this started a few days ago and i don’t even know if it is remotely related to your subject here. i don’t know what to do - can you help me?

  25. bucketcracker Says:

    This guy is taking requests just visit his websites.

    http://uk.youtube.com/user/MsnHackerMan

    http://uk.youtube.com/user/fotobucketman

  26. Mike Says:

    If you want to get pictures..
    Send an email to me ( Wrench.tool@yahoo.com )

    Send the following :
    -Name of the Account(s) you want pictures from
    -Ill send you a .rar file or a link to a file hoster.