Last Friday night, Wired writer Mat Honan had his Twitter and email accounts broken into, and his phone, computer, and iPad all wiped. His story is frightening as well as sad (he lost important family photos), but it highlights just how possible it is to access some platforms without doing any actual “hacking” — the culprits took advantage of bad security policy and publicly available information to gain control of his accounts.
Another service with a gaping security hole that people have been exploiting, hack-free and for at least five years, is Photobucket.
Remember Photobucket? Yes? You still have an account on there? You don’t happen to have any……. squints eyes, looks around old nudes in there, do you?
If so, they might be much more easily found than you thought.
Photobucket handles privacy levels differently than other photo sharing services like Flickr or Facebook. Instead of setting a privacy level at the individual photo, you set the privacy level (“Everyone,” “Private,” or “Password-protected”) at the album level. If you select Private or Password-protected for an album, the photos won’t show up in search, and someone browsing your profile wouldn’t be able to find them. However, each photo is still accessible via a direct link to its url.
This means that if I put photos in a private or password-protected album, I can still send a direct link to an individual photo to my friend, and she won’t need a password to view that photo. If she wants, she can pass along that link to any of her other friends and they can also view over the Photobucket site, no problem, regardless of how I set the privacy level on the album. This is meant to be a feature — in theory, only an album’s owner would be able to share the link in the first place, since the only obvious way to find its url in the first place is to have access to its album.
Problem is, the URLs Photobucket uses for these pictures use the photos’ actual file names, and file names aren’t that hard to guess. For example, if the photo I want to send to Sally is DSC_003.jpg, she can guess that there’s also an DSC_004.jpg in that album. And maybe I don’t want her seeing DSC_004.jpg.
Of course, your friends probably aren’t going to sit there and guess every single possible file name. That would be time consuming, and even harder if they hadn’t seen that first file name to give them a hint. That’s where “fusking” programs come — you just enter the username and album name, and the fusking program will run through likely guesses and pull up any images it can find.
Who would want to do this? Corporate espionage? The CIA? Your boss? Of course not! It’s all dudes who want to find nudes of that hot girl in their class. Instructional videos on how to download and use fusking programs are open about the fact that they’re looking for girls’ private photos. In one video, the motivation for fusking is clear:
Have you ever, like seen a really hot chick on Myspace or something, and she’s got a picture on her front page? Like on her profile that she put it on there with HTML with a Photobucket link, and then you go to the username that’s on the Photobucket link, and you get to the site, and the fricking name is private? It just PISSES you off, you know?
For a long time, I’ve seen threads on 4chan of images of girls’ “hacked Photobucket” images, but I typically ignored them, having little interest in photos of possibly underage nude girls. I also assumed they weren’t really “hacked” and were just ads for a pornography site (there’s plenty of that kind of spam on 4chan). It was only recently that I noticed what was actually going on in one of these threads – one person started a thread saying they knew how to “fusker” Photobucket accounts, and if anyone sent in the username of a girl whose private photos they wanted to see, he’d access them for them. Plenty of people responded with links to the Photobucket accounts of female acquaintances, and sure enough, OP delivered private photos of the girls in underwear.
Scraps of evidence of guys using fuskers to get girls’ private photos exists in message boards. In a discussion thread about how Photobucket took down a photo that was only moderately risqué (Photobucket was notoriously strict about taking down pornography and nudity), someone chimed in, “I’ve lurked and fuskered Photobucket and have downloaded pictures off of girls private and public Photobucket pages that show way more than that.”
I thought that this was all way in the past – a 2007 moment of folly. However, very recently, a friend had this happen to him, or more specifically, his ex-girlfriend’s photos. He discovered that someone has posted photos of his ex in a NSFW sub-Reddit that he had taken years ago, and he knew the only place she would have stored the photos was her private Photobucket account. The comment on the photo posted to Reddit said that the person had found the photos on 4chan, where they had been posted in response to a fusking request. This meant that someone had very recently targeted his girlfriend’s years-old Photobucket account that she had likely forgotten even held those photos.
Sure, Photobucket isn’t exactly as popular as it was back in 2007 when Myspace bought it for around $300M. Facebook has more or less killed Photobucket for sharing photos with friends and family, and sexting via smartphone with better cameras has eliminated the need to store X-rated photos of yourself on a photo hosting service. Today, Photobucket is primarily a silent partner to Twitter, which uses its infrastructure for t.co photo hosting (those photos are not vulnerable to the same kind of fusking). A request for comment sent to Photobucket has not been answered.
Just as my friend’s ex-girlfriend, many people have Photobucket accounts left from the Myspace days that are just gathering dust, potentially with some risqué photos in “private” albums. If you were dumb enough to be taking nude photos (don’t ever take nude photos. In fact, don’t be nude, ever. Just avoid the whole thing.), you better delete that shit, ASAP, people.