Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Photobucket: An Identity Thief's Playground

Photobucket is a popular social media site that acts as gallery and cloud storage for user photos. Users can upload photos and arrange them into individual galleries or simply leave everything unsorted in one large library.

Adding support for smartphones makes it even more useful. Android and iPhone users can both download apps to automatically sync their cell phone photos to Photobucket. And why not? It's super convenient –otherwise you'd have to manually transfer your photos from your phone to cloud  storage one by one.

The security problem is that many users either (a) forget that the Photobucket app syncs all their photos to the site or (b) have no idea how to adjust privacy settings. Are you starting to see the problem here?

If you're like most smartphone owners, you use your phone as an extension of your brain. When was The Matrix released? Look it up on IMDB! What's the song that's playing on the radio right now? Have Shazam tell you! You opened a new account at your credit union: how will you be able to memorize your new account number? Take a photo of the account document and keep it in your image Gallery! But if you're syncing your photos to Photobucket with the default privacy settings, you've just shared that private document with the whole world!

This doesn't sound too bad; after all, what are the odds an identity thief will find your user profile on Photobucket and sort through all your photos until they find a picture of your account information? Well, Photobucket actually makes this really easy for our hypothetical thief. To illustrate, you could check out photobucket.com/recent (please note that adult-themed pictures occasionally end up there).

That's right – Photobucket displays recently uploaded files from its users in (more or less) real-time. All our hypothetical thief has todo is stay at that page and scroll until he finds something useful. "But," askeptic might say, "people don't put that sort of thing on Photobucket for the world to see!" A couple of hours of scrolling turned up evidence to the contrary. Obviously the interesting bits are obfuscated, but it was in plaintext for the world to read. Please keep in mind that absolutely no special software, skills, or techniques were involved in gathering the following images.

First up: let's start small.

8180_1b0b1c05-289a-4865-8a84-1ac2e0812106

That's a high school report card. Nothing terribly earth-shattering, but it still includes the student's name, the high school he attends, what courses he took, and how well he did in them. That's probably not something you want the whole world to see. Nice job in Weight Training, Gio, but you gotta step up your woodshop game! We're all rooting for you!

Okay, on to something a little more interesting.

8724_36cbec62-6b8a-4d1b-af29-defa9e6745c4
Looks like earnings data for a guy named David and… hold on, is that a social security number in the top-right corner? Sure is!

But wait, it gets worse.

BSL_10030_77da87ca-6b78-4631-b7a8-84120938366a
This is one of the worst things you could possibly upload to a public website. Bank name: check, account number: check, social security number: check. Anyone viewing this image on Photobucket has almost everything they need to call this poor guy's bank, pass their security check, and clean out his account. Ouch.

Sometimes, even seemingly innocuous images can be used in combination for nefarious ends. Consider the following three images.

7683_0362e423-d471-48a1-a397-7dc2ac4d0b32

12868_fcfccd7e-fbeb-401f-8e22-5f55a67e9a6e

9931_72bbe52e-355f-4aa6-add5-5303f214c90f
On its own, one of these images isn't much. But put them together, and an attacker knows the victim's name, where he goes to school, what he looks like, what his car looks like, its license plate, when he's at class (i.e. when he's not home), and where that classroom is located. All this stuff is easily found in the user's public-facing library of images, which I was led to from the user's recently added photo of his college ID.

So what's the moral of this story? That you should use Photobucket's privacy controls for sensitive data you've uploaded to Photobucket? Actually, no. There are several ways around Photobucket's privacy settings. For example, URL fuzzing with common image-specific filenames and sequence numbers can return both public and private photos for a particular user. Privacy settings might make an identity thief's job harder, but you're by no means secure using them on their own.

When it comes to mobile devices, always think twice before taking pictures of any sensitive data. And you should certainly be very aware of the settings on any sync or sharing apps you may be using. If you're not using Photobucket's app, you may be using Flickr, Instagram, or Facebook. Don't make things easy for identity thieves!

Latest SpiderLabs Blogs

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Physical Address Strangeness in Spam

Ten years ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter state-antispam laws). One of the provisions of the act is...

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More