Industry News

Photofucket, the tool that lets hackers steal Photobucket pictures. Creators arrested

Are you still storing your private photographs and videos on the internet? How much trust are you putting in online companies to keep unauthorised eyes from seeing your personal snapshots and intimate home movies?

It’s a question that keeps arising, and is again this week following news that two men have been arrested for allegedly creating. marketing and selling a tool designed to allow unauthorised access to images and videos stored on Photobucket.

The tool, imaginatively entitled Photofucket, was allegedly sold by 39-year-old Brandon Bourret of Colorado Springs, Colorado and Athanasios Andrianakis, 26, of Sunnyvale, California, to allow people to circumvent the privacy of Photobucket users.

photofucket-app

To understand just what the Photofucket tool was doing, it’s important to understand how Photobucket works.

When you create an album on the Photobucket website, you can give it one of three different privacy settings: public, private or password-protected.

Public Photobucket albums are visible to the world, including search engines, and anyone can access your album and browse your photos.

Private albums on Photobucket aren’t listed on the site’s search engine, or in third-party search engines like Google. However, Photobucket users can share photographs in their private album with others, without giving access to the entire album.

Finally, password-protected Photobucket albums are not searchable on the site or in Google, and require a password to view their contents. Guest passwords can be shared with other viewers to allow access to password-protected albums.

photobucket-privacy

 

Marketing material for the questionable Photofucket tool makes clear that it can raid a private Photobucket album, and attempt to download its entire content by guessing filenames:

“Photofucket is a client software application designed to fusk content from private Photobucket albums and download content from public Photobucket albums.”

“If you have the password to a private account, Photofucket can download all the content from the album just as quickly and easily as if it were a public album.”

“Photofucket can attempt to download the content of a private album using a brute-force method called “fusking,” where the program tries to download content by guessing the names of files that might be in the private album.”

Furthermore, according to a Department of Justice indictment, Bourret and Andrianakis “used the Photofucket application to obtain guest passwords to Photobucket.com users’ password-protected albums” and then made those credentials available to purchasers of Photofucket.

photobucket-indictment

The authorities claim that Bourrett paid Andrianakis via PayPal to develop the app, and discussed ways to circumvent Photobucket’s security.

Of course, a preferable course of action would have been to responsibly disclose any vulnerability to Photobucket so it could have been investigated and fixed, and perhaps a bug bounty could have been paid.

“Unauthorized access into a secure computer system is a serious federal crime,” said FBI Denver Special Agent Thomas Ravenelle in a Department of Justice press release. “The arrest of Brandon Bourret and his co-conspirator reflects the FBI’s commitment to investigate those who undertake activities such as this with the intent to harm a company and its customers.”

If convicted, the men face charges that could result in penalties of up to 10 years in prison.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “Of course, a preferable course of action would have been to responsibly disclose any vulnerability to Photobucket so it could have been investigated and fixed, and perhaps a bug bounty could have been paid.”

    I of course agree with the idea but I get the impression (and would be surprised if I’m wrong despite the fact I’d rather wish I was wrong) they only care about the black market and the use of the tool as such (meaning the results). It is unfortunate but too many people (which really means > 0 as far as I am concerned but it is unfortunately much worse than that) don’t really care about the privacy of others (and if they do they don’t care enough), probably even their own in some sense (although if the tool was used on them in return they’d probably fail to see the significance and/or complain about it[1] – just like any other tool would upset them). These people don’t really care about decency because they don’t have any decency. Sure, some might – maybe including themselves – claim they have good ethics but they surely aren’t showing that to the world this way. To really capture the picture in perfect light (I can’t help but give the analogy as such), I think it is like this: they would rather see what the tool allows (as results and also for the creator, profit; potentially profit for those using it too) rather than be paid for doing the right thing (which means as much as contribute to the project rather than cause pain to those using it). Not that I think Photobucket is a good idea for personal photos (as in private/initimate type of personal photos). Maybe for scenery/landscape/etc. but not what some would use it for. But that’s their choice, too, just like it is with other websites (or send over mobile phone or through email or whatever else) that people post pictures to. Still, this exploit isn’t exactly pleasant for any type of photos or actually any other content (invasion of privacy is still invasion of privacy).

    [1] Which, given the circumstances, would be whining, not complaining. And not just whining but very loud, very obnoxious whining.

  • This guy had it coming. He used to try and hawk this software on several of the forums I frequented incessantly. He would even brag about how much he was making. He described it as legitimate software that Law Enforcement professionals use to gather evidence. I knew he was full of it though. Once I saw he forgot to auto renew his privacy settings for his site registration (oops) I knew it wouldn’t be long before he and his cohorts were nabbed.