Another Photobucket Locked and Private Directory Disclosure Issue
I was really hesitant to post this for a few reasons. The first being the sheer number of responses to the last photobucket photo disclosure issue I posted. The second is that really, I have never used photobucket, so don’t particularly care about fixing issues in their system other than the fact that I know there are a lot of people who would probably appreciate not having their private pics all over the Internet. I would have used responsible disclosure, but I was asked to post this and also I tried that last time with Photobucket and didn’t get any response, so I don’t think there is anyone manning the blackhole that my email apparently went into. I was asked to post this by “Anon” who was very concerned about this being live as soon as possible. Apparently the photo disclosure issue been around for more than a year. The email has been snipped and modified in places to hide the identity of the person who sent this to me.
Hi RSnake, there’s a new PhotoBucket vulnerability which has actually be around for about a year now, which allows access to “Private” PhotoBucket accounts. Please publically disclose this on ha.ckers.org.The vulnerability lies in an XML file, which is stored in the account, which is located on an IP address that resolves to PhotoBucket.com. For instance, http://s0006.photobucket.com/albums/0006/pbhomepage/, which is the PhotoBucket example account, can be changed to http://66.11.55.160/albums/0006/pbhomepage/.album.xml, which displays an XML file displaying all paths, images, videos, and slideshows. It has access to ALL accounts no matter if they are locked or not. By navigating to http://66.11.55.160/albums/0006/.album.xml instead you will find an XML file containing a list of users’ accounts that are available on the selected server.
Again please disclose this immediately, and anonymously (no mention of me please), so that the issue will be patched.
So there you have it, folks. All Photobucket photos marked as private has been visible for a year to at least the people who found out about this issue and didn’t report it. “Anon”, who forwarded this to me felt it should be closed immediately. Hopefully this too is fixed rather quickly, like the last one was. Let the onslaught of comments begin.
August 21st, 2007 at 4:05 pm
Ah, I had known this had existed but not the actual exploit.
Anyways, it seems I am getting a forbidden when trying to access any of the album.xml’s now.
August 21st, 2007 at 4:07 pm
Doesn’t work for me =(
Page not found is what i got
August 21st, 2007 at 4:09 pm
Well that was patched quickly. Or so it seems at least.
August 21st, 2007 at 4:10 pm
Wow, looks like it’s already fixed. Lightning fast. Whomever read that and fixed it please give me a shout offline. I’d be happy to disclose these to you personally, but your current mechanisms for reporting don’t appear to work at all.
2 hours and 5 minutes. Very impressive.
August 21st, 2007 at 4:15 pm
Man … they kicked if off so fast=(
August 21st, 2007 at 6:50 pm
wtf man, this has got to stop, you killed it within a couple of hours, does this really help anyone?
August 21st, 2007 at 8:07 pm
I deleted some comments. To answer the above question, yes it helps all the people who would have had their photos stolen. Sorry, I thought that was obvious.
August 21st, 2007 at 9:14 pm
Some of you kids are pretty stupid, seriously.
Photobucket is not secure because they don’t need to be. They even state they don’t do SSL because there is no reason for them to. They host pictures/movies (and offer products relating to those) and that is it. Security is not a reason to use it, or a concern of theirs.
The reason these exploits are found and used to to get pictures that violate photobuckets terms of service anyway.
That is the answer to why they don’t patch these things right away when they get them sumbitted on their site.
Now, when a popular blog disclouses a vulnerability, it is embarassing. So they patch it to save face, and that is it. If its not widley known, then they don’t care to take the time to fix the bugs few know about.
August 21st, 2007 at 10:45 pm
doest work, they resovled it?
August 22nd, 2007 at 12:09 am
Good work RSnake, it’s nice to see you reporting these things to help get security flaws patched.
(Even more so since -I- have a photobucket account….)
August 22nd, 2007 at 1:10 am
This was posted on anon board..within 10 minutes it was closed by photobucket..
August 22nd, 2007 at 2:50 am
it helps everyone that would have had their pics stolen? why be an internet superhero? let the billion dollar company (photobucket) fix their issues. they don’t need some guy from a random website doing this stuff for them. they have a giant staff of programmers, etc. i mean no disrespect, but it’s just a little odd. why involve yourself in something that doesn’t have anything to do with you? that’s my question.
August 22nd, 2007 at 3:30 am
the guys who reported this bug is probably an unhappy employee
August 22nd, 2007 at 7:27 am
@Steve - so it wasn’t this website that got it closed? Interesting. Where’s the anon board?
@NotRSnake - I agree, if I never saw the word photobucket for the rest of my life I’d be a happy person. So I encourage them to fix their holes so I don’t have to disclose any more issues.
August 22nd, 2007 at 10:26 am
It’s best to classify this as a privacy breach. But, it is a security issue. Users who submit their photos are giving PB their full trust. PB has to live up to this trust and secure it in order to gurantee privacy. Full security is impossible, but it’s little effort to make sure this won’t happen.
August 22nd, 2007 at 3:44 pm
I could be wrong but I’m guessing this is the vuln from Awsome Andrew’s program,
That got leaked onto Anon board (there is a post on his site about it)
August 23rd, 2007 at 12:17 am
FLIMMER…. IS TOTALLY RIGHT IF PPL DIDNT POST ASS NAKED PICS THEN NO ONE WOULD HAVE N-E THING TO LOOK AT. THEY VIOLATE THE TERMS SO LET EM SUFFER. @ RSNAKE NO NEED TO BE THE SAVIOR.. DONT DISCLOSE ANYTHING ELSE.. JUST EMAIL IT TO ME!!! ILL HANDLE IT… JK. BUT SOME PPL ARE SUCH SNITCHES.. AND IM TALKIN BOUT THE GUY WHO TOLD RSNAKE!
August 23rd, 2007 at 1:07 am
@RSnake
Nope it wasent this board that closed it
The guy put up the url on a public board..http://www.anonib.com
Mabey the same guy who emaild you?
I dont now
August 23rd, 2007 at 9:28 am
steve, the url was posted on anonib several hours after it was posted here.
seriously, anonib gets too much credit for this kind of stuff.
this site is the reason the patch was closed, number one being that nobody has linked from digg to anonib for an exploit. same can’t be said about this site.
August 23rd, 2007 at 3:15 pm
Actually clamdoctor it was posted on two different boards on AnonIB prior to being posted here, and it was only posted here after it had already been patched.
August 23rd, 2007 at 10:34 pm
if you’re referring to buckethunters, then no, it was posted here prior to that.
August 24th, 2007 at 6:43 am
There’s a time difference between this blog and anonib. I know this because I know who posted it.
August 24th, 2007 at 7:09 am
@anonifail - I actually tested it prior to posting so it wasn’t fixed when it was posted, or maybe it was the second I posted, but not a few minutes prior when I verified. My post was made Tuesday, August 21st, 2007 at 2:00 pm PST.
August 25th, 2007 at 9:55 pm
i can’t get to anything related to photobucket anymore. even when visiting friends’ myspace pages, any pics posted through photobucket doesn’t come up for me while it does for everyone else. this started a few days ago and i don’t even know if it is remotely related to your subject here. i don’t know what to do - can you help me?
January 13th, 2009 at 6:11 pm
This guy is taking requests just visit his websites.
http://uk.youtube.com/user/MsnHackerMan
http://uk.youtube.com/user/fotobucketman
February 4th, 2009 at 6:06 pm
If you want to get pictures..
Send an email to me ( Wrench.tool@yahoo.com )
Send the following :
-Name of the Account(s) you want pictures from
-Ill send you a .rar file or a link to a file hoster.