Photobucket is a popular social media site that acts as gallery and cloud storage for user photos. Users can upload photos and arrange them into individual galleries or simply leave everything unsorted in one large library.
Adding support for smartphones makes it even more useful. Android and iPhone users can both download apps to automatically sync their cell phone photos to Photobucket. And why not? It’s super convenient – otherwise you’d have to manually transfer your photos from your phone to cloud storage one by one.
The security problem is that many users either (a) forget that the Photobucket app syncs all their photos to the site or (b) have no idea how to adjust privacy settings. Are you starting to see the problem here?
If you’re like most smartphone owners, you use your phone as an extension of your brain. When was The Matrix released? Look it up on IMDB! What’s the song that’s playing on the radio right now? Have Shazam tell you! You opened a new account at your credit union: how will you be able to memorize your new account number? Take a photo of the account document and keep it in your image Gallery! But if you’re syncing your photos to Photobucket with the default privacy settings, you’ve just shared that private document with the whole world!
This doesn’t sound too bad; after all, what are the odds an identity thief will find your user profile on Photobucket and sort through all your photos until they find a picture of your account information? Well, Photobucket actually makes this really easy for our hypothetical thief. To illustrate, you could check out photobucket.com/recent (please note that adult-themed pictures occasionally end up there).
That’s right – Photobucket displays recently uploaded files from its users in (more or less) real-time. All our hypothetical thief has to do is stay at that page and scroll until he finds something useful. “But,” a skeptic might say, “people don’t put that sort of thing on Photobucket for the world to see!” A couple of hours of scrolling turned up evidence to the contrary. Obviously the interesting bits are obfuscated, but it was in plaintext for the world to read. Please keep in mind that absolutely no special software, skills, or techniques were involved in gathering the following images.