I was really hesitant to post this for a few reasons. The first being the sheer number of responses to the last photobucket photo disclosure issue I posted. The second is that really, I have never used photobucket, so don’t particularly care about fixing issues in their system other than the fact that I know there are a lot of people who would probably appreciate not having their private pics all over the Internet. I would have used responsible disclosure, but I was asked to post this and also I tried that last time with Photobucket and didn’t get any response, so I don’t think there is anyone manning the blackhole that my email apparently went into. I was asked to post this by “Anon” who was very concerned about this being live as soon as possible. Apparently the photo disclosure issue been around for more than a year. The email has been snipped and modified in places to hide the identity of the person who sent this to me.
Hi RSnake, there’s a new PhotoBucket vulnerability which has actually be around for about a year now, which allows access to “Private” PhotoBucket accounts. Please publically disclose this on ha.ckers.org.
The vulnerability lies in an XML file, which is stored in the account, which is located on an IP address that resolves to PhotoBucket.com. For instance, http://s0006.photobucket.com/albums/0006/pbhomepage/, which is the PhotoBucket example account, can be changed to http://220.127.116.11/albums/0006/pbhomepage/.album.xml, which displays an XML file displaying all paths, images, videos, and slideshows. It has access to ALL accounts no matter if they are locked or not. By navigating to http://18.104.22.168/albums/0006/.album.xml instead you will find an XML file containing a list of users’ accounts that are available on the selected server.
Again please disclose this immediately, and anonymously (no mention of me please), so that the issue will be patched.
So there you have it, folks. All Photobucket photos marked as private has been visible for a year to at least the people who found out about this issue and didn’t report it. “Anon”, who forwarded this to me felt it should be closed immediately. Hopefully this too is fixed rather quickly, like the last one was. Let the onslaught of comments begin.