- A flaw in Hama Film’s website exposed photo booth footage from the United States, United Arab Emirates and Australia to anyone who knew where to look
- Researchers saw more than 1,000 images from the Melbourne stands and say the photos were accessible for up to 24 hours.
- Even short-term exposure enables identity abuse: fake profiles, scams, circumventing selfie controls, and constructing synthetic identities.
A popular photo booth chain in the United States, United Arab Emirates and Australia was found to store all of its image data on a server accessible (easily) through the device manufacturer’s website, essentially exposing people’s identities to potentially malicious players, experts have warned.
The cybersecurity researcher aka Zeacer said TechCrunch at that point they were able to view over 1,000 photos for the Melbourne-based stands.
Zeacer contacted Hama Film to inform them of the vulnerability on its website, but received no response, forcing the researcher to contact the media, sharing a sample of photos taken from the company’s servers, showing groups of clearly young people posing in photo booths.
A thousand photos exhibited
While this certainly limits the number of images exposed at a given time, a particularly persistent attacker (or one automating his work) could nevertheless download all the photos passing through the infrastructure.
Once hackers obtain these photos, the potential for abuse quickly multiplies. Clear facial images can be used to create convincing fake profiles on social media, which are then used as weapons for romance scams, investment fraud or social engineering attacks.
Cybercriminals can use stolen photos to pass basic identity checks, sign up for online services or bypass weak “selfie verification” systems. In some cases, they may even be combined with disclosed personal data to apply for jobs, open accounts or create synthetic identities.
Even if we ignore the obvious question: why would a photo booth store these images anywhere in the first place? It’s also worth mentioning that the images don’t appear to be stored permanently.
Zeacer’s initial investigation determined that the photos were deleted every two to three weeks, but later said they were actually deleted after 24 hours.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
