Flaw in photo booth maker’s website exposes customers’ pictures

A significant security vulnerability has been discovered in the website of a photo booth manufacturer, leading to the exposure of customers' photos and videos online. This alarming issue was brought to light by a security researcher known as Zeacer, who initially reported the flaw to Hama Film, a company with a franchise presence in Australia, the UAE, and the U.S., back in October. After not receiving a response, Zeacer alerted TechCrunch in late November about the ongoing risk to customer privacy. Zeacer provided TechCrunch with examples of images sourced from Hama Film’s servers, showcasing groups of young individuals enjoying their time in the photo booths. Unlike traditional booths, Hama Film's products not only print photos but also upload them to the company's servers. Despite multiple attempts to reach out, Vibecast, the parent company of Hama Film, has not responded to inquiries regarding the security breach. As of the latest update, the security flaw remains unresolved, continuing to jeopardize customer data. Consequently, TechCrunch has opted to withhold specific details about the vulnerability to prevent potential exploitation. Initially, Zeacer noted that images were deleted from the servers every two to three weeks. However, the latest observations indicate that photos are now removed after just 24 hours, which reduces the window for exposure but does not eliminate the risk of a hacker accessing the data daily. Before the current week, Zeacer reported witnessing over 1,000 photos available online from Hama Film’s booths in Melbourne. This incident underscores a broader trend of companies neglecting essential security measures, such as rate-limiting. Just last month, TechCrunch highlighted a similar oversight by Tyler Technologies, a government contractor, which failed to implement necessary protections for jurors' personal information, exposing them to potential breaches. The ongoing situation with Hama Film serves as a reminder of the critical importance of robust cybersecurity practices in safeguarding customer data.