3 min read

Photofucket, the tool that lets hackers steal Photobucket pictures. Creators arrested

Graham CLULEY

May 11, 2015

Photofucket, the tool that lets hackers steal Photobucket pictures. Creators arrested

Are you still storing your private photographs and videos on the internet? How much trust are you putting in online companies to keep unauthorised eyes from seeing your personal snapshots and intimate home movies?

It’s a question that keeps arising, and is again this week following news that two men have been arrested for allegedly creating. marketing and selling a tool designed to allow unauthorised access to images and videos stored on Photobucket.

The tool, imaginatively entitled Photofucket, was allegedly sold by 39-year-old Brandon Bourret of Colorado Springs, Colorado and Athanasios Andrianakis, 26, of Sunnyvale, California, to allow people to circumvent the privacy of Photobucket users.

photofucket-app

To understand just what the Photofucket tool was doing, it’s important to understand how Photobucket works.

When you create an album on the Photobucket website, you can give it one of three different privacy settings: public, private or password-protected.

Public Photobucket albums are visible to the world, including search engines, and anyone can access your album and browse your photos.

Private albums on Photobucket aren’t listed on the site’s search engine, or in third-party search engines like Google. However, Photobucket users can share photographs in their private album with others, without giving access to the entire album.

Finally, password-protected Photobucket albums are not searchable on the site or in Google, and require a password to view their contents. Guest passwords can be shared with other viewers to allow access to password-protected albums.

photobucket-privacy

 

Marketing material for the questionable Photofucket tool makes clear that it can raid a private Photobucket album, and attempt to download its entire content by guessing filenames:

“Photofucket is a client software application designed to fusk content from private Photobucket albums and download content from public Photobucket albums.”

“If you have the password to a private account, Photofucket can download all the content from the album just as quickly and easily as if it were a public album.”

“Photofucket can attempt to download the content of a private album using a brute-force method called “fusking,” where the program tries to download content by guessing the names of files that might be in the private album.”

Furthermore, according to a Department of Justice indictment, Bourret and Andrianakis “used the Photofucket application to obtain guest passwords to Photobucket.com users’ password-protected albums” and then made those credentials available to purchasers of Photofucket.

photobucket-indictment

The authorities claim that Bourrett paid Andrianakis via PayPal to develop the app, and discussed ways to circumvent Photobucket’s security.

Of course, a preferable course of action would have been to responsibly disclose any vulnerability to Photobucket so it could have been investigated and fixed, and perhaps a bug bounty could have been paid.

“Unauthorized access into a secure computer system is a serious federal crime,” said FBI Denver Special Agent Thomas Ravenelle in a Department of Justice press release. “The arrest of Brandon Bourret and his co-conspirator reflects the FBI`s commitment to investigate those who undertake activities such as this with the intent to harm a company and its customers.”

If convicted, the men face charges that could result in penalties of up to 10 years in prison.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Google Fixes Five High-Severity Flaws in Chrome 92 for Windows, Mac and Linux Google Fixes Five High-Severity Flaws in Chrome 92 for Windows, Mac and Linux
Filip TRUȚĂ

August 05, 2021

1 min read
Google Drops All Support for Android 2.3.7 and Older Google Drops All Support for Android 2.3.7 and Older
Silviu STAHIE

August 04, 2021

1 min read
A Heads-Up on Stalkerware, the Wolf Software in Sheep’s Clothing A Heads-Up on Stalkerware, the Wolf Software in Sheep’s Clothing
Silviu STAHIE

August 03, 2021

4 min read