Photobucket is a popular social media site that acts as gallery and cloud storage for user photos. Users can upload photos and arrange them into individual galleries or simply leave everything unsorted in one large library.
Adding support for smartphones makes it even more useful. Android and iPhone users can both download apps to automatically sync their cell phone photos to Photobucket. And why not? It's super convenient –otherwise you'd have to manually transfer your photos from your phone to cloud storage one by one.
The security problem is that many users either (a) forget that the Photobucket app syncs all their photos to the site or (b) have no idea how to adjust privacy settings. Are you starting to see the problem here?
If you're like most smartphone owners, you use your phone as an extension of your brain. When was The Matrix released? Look it up on IMDB! What's the song that's playing on the radio right now? Have Shazam tell you! You opened a new account at your credit union: how will you be able to memorize your new account number? Take a photo of the account document and keep it in your image Gallery! But if you're syncing your photos to Photobucket with the default privacy settings, you've just shared that private document with the whole world!
This doesn't sound too bad; after all, what are the odds an identity thief will find your user profile on Photobucket and sort through all your photos until they find a picture of your account information? Well, Photobucket actually makes this really easy for our hypothetical thief. To illustrate, you could check out photobucket.com/recent (please note that adult-themed pictures occasionally end up there).
That's right – Photobucket displays recently uploaded files from its users in (more or less) real-time. All our hypothetical thief has todo is stay at that page and scroll until he finds something useful. "But," askeptic might say, "people don't put that sort of thing on Photobucket for the world to see!" A couple of hours of scrolling turned up evidence to the contrary. Obviously the interesting bits are obfuscated, but it was in plaintext for the world to read. Please keep in mind that absolutely no special software, skills, or techniques were involved in gathering the following images.
First up: let's start small.
That's a high school report card. Nothing terribly earth-shattering, but it still includes the student's name, the high school he attends, what courses he took, and how well he did in them. That's probably not something you want the whole world to see. Nice job in Weight Training, Gio, but you gotta step up your woodshop game! We're all rooting for you!
Okay, on to something a little more interesting.
Looks like earnings data for a guy named David and… hold on, is that a social security number in the top-right corner? Sure is!
But wait, it gets worse.
This is one of the worst things you could possibly upload to a public website. Bank name: check, account number: check, social security number: check. Anyone viewing this image on Photobucket has almost everything they need to call this poor guy's bank, pass their security check, and clean out his account. Ouch.
Sometimes, even seemingly innocuous images can be used in combination for nefarious ends. Consider the following three images.
On its own, one of these images isn't much. But put them together, and an attacker knows the victim's name, where he goes to school, what he looks like, what his car looks like, its license plate, when he's at class (i.e. when he's not home), and where that classroom is located. All this stuff is easily found in the user's public-facing library of images, which I was led to from the user's recently added photo of his college ID.
So what's the moral of this story? That you should use Photobucket's privacy controls for sensitive data you've uploaded to Photobucket? Actually, no. There are several ways around Photobucket's privacy settings. For example, URL fuzzing with common image-specific filenames and sequence numbers can return both public and private photos for a particular user. Privacy settings might make an identity thief's job harder, but you're by no means secure using them on their own.
When it comes to mobile devices, always think twice before taking pictures of any sensitive data. And you should certainly be very aware of the settings on any sync or sharing apps you may be using. If you're not using Photobucket's app, you may be using Flickr, Instagram, or Facebook. Don't make things easy for identity thieves!
