Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Photobucket: An Identity Thief's Playground

Photobucket is a popular social media site that acts asgallery and cloud storage for user photos. Users can upload photos and arrangethem into individual galleries or simply leave everything unsorted in one largelibrary.

Adding support for smartphones makes it even more useful.Android and iPhone users can both download apps to automatically sync theircell phone photos to Photobucket. And why not? It's super convenient –otherwise you'd have to manually transfer your photos from your phone to cloudstorage one by one.

The security problem is that many users either (a) forgetthat the Photobucket app syncs alltheir photos to the site or (b) have no idea how to adjust privacy settings.Are you starting to see the problem here?

If you're like most smartphone owners, you use your phone asan extension of your brain. When was TheMatrix released? Look it up on IMDB! What's the song that's playing on theradio right now? Have Shazam tell you! You opened a new account at your creditunion: how will you be able to memorize your new account number? Take a photoof the account document and keep it in your image Gallery! But if you're syncingyour photos to Photobucket with the default privacy settings, you've justshared that private document with the whole world!

This doesn't sound too bad; after all, what are the odds anidentity thief will find your user profileon Photobucket and sort through all your photos until they find a picture of youraccount information? Well, Photobucket actually makes this really easy for ourhypothetical thief. To illustrate, you could check out photobucket.com/recent (please note that adult-themed picturesoccasionally end up there).

That's right – Photobucket displays recently uploaded filesfrom its users in (more or less) real-time. All our hypothetical thief has todo is stay at that page and scroll until he finds something useful. "But," askeptic might say, "people don't put that sort of thing on Photobucket for theworld to see!" A couple of hours of scrolling turned up evidence to thecontrary. Obviously the interesting bits are obfuscated, but it was inplaintext for the world to read. Please keep in mind that absolutely no special software, skills, ortechniques were involved in gathering the following images.

First up: let's start small.

Report card_anon_small

That's a high school report card. Nothing terribly earth-shattering,but it still includes the student's name, the high school he attends, whatcourses he took, and how well he did in them. That's probably not something youwant the whole world to see. Nice job in Weight Training, Gio, but you gottastep up your woodshop game! We're all rooting for you!

Okay, on to something a little more interesting.

Looks like earningsdata for a guy named David and… hold on, is that a social security number inthe top-right corner? Sure is!

But wait, it gets worse.

This is one of theworst things you could possibly upload to a public website. Bank name: check, accountnumber: check, social security number: check. Anyone viewing this image onPhotobucket has almost everything they need to call this poor guy's bank, passtheir security check, and clean out his account. Ouch.

Sometimes, even seemingly innocuous images can be used incombination for nefarious ends. Consider the following three images.



On its own, one ofthese images isn't much. But put them together, and an attacker knows thevictim's name, where he goes to school, what he looks like, what his car lookslike, its license plate, when he's at class (i.e. when he's not home), andwhere that classroom is located. All this stuff is easily found in the user'spublic-facing library of images, which I was led to from the user's recently addedphoto of his college ID.

So what's the moral of this story? That you should usePhotobucket's privacy controls for sensitive data you've uploaded toPhotobucket? Actually, no. There are several ways around Photobucket's privacysettings. For example, URL fuzzing with common image-specific filenames andsequence numbers can return both public and private photos for a particularuser. Privacy settings might make an identity thief's job harder, but you're byno means secure using them on their own.

When it comes to mobile devices, always think twice beforetaking pictures of any sensitive data. And you should certainly be very awareof the settings on any sync or sharing apps you may be using. If you're notusing Photobucket's app, you may be using Flickr, Instagram, or Facebook. Don'tmake things easy for identity thieves!