August 14, 2012
Photobucket Fusking Exposed Users’ Private, Explicit Photos
redOrbit Staff & Wire Reports - Your Universe Online
A number of women who posted private, explicit photos of themselves on the online photo sharing site Photobucket have had these images made public and passed around on Internet message boards.
The women had assumed that their privacy settings on the website protected the posted photos, which were not meant to be shared publicly.
However, through a technique known as ℠fusking´, in which software is used to find hidden pictures, skilled hackers are bypassing Photobucket´s security settings and searching the site for racy images.
The breach reveals a privacy gap on Photobucket, which gives users the option of making their albums or individual photos private, but gives every single picture its own URL. Since the image title is part of this URL, even if the picture is private, the title is relatively easy to find. For instance, if a user has a public image entitled IMG_01, they likely have an IMG_02 that may be private and explicit.
Fusking programs work by accelerating the guessing process, thereby quickly finding URLs for a person´s hidden photos.
Photobucket spokesman David Toner said the company is aware of fusking, but that such breaches are a "very rare occurrence that has affected only a small number of Photobucket's users.”
The company provides a URL scrambling service that offers some protection, he said.
“Scrambled URLs have been an option for the past two years and will be the default for all new uploads,” Toner told CNN.
The scrambled URLs make it more difficult for hackers to guess sequences of images, and to locate those meant to be kept private.
“The company is in the process of reminding users about the option to scramble URLs to prevent fusking.”
However, if users have not applied the encryption, their photos may be vulnerable.
"There are additional technical flags and safeguards in place when we suspect that fusking is being attempted; however, we have also taken several actions that will plug any existing holes that allow this activity," Toner added.
Experts say the best way to avoid being the victim of fusking is to keep any nude photos entirely off the Internet.
"If you don't want someone else to see it, don't post it,” social media attorney Ethan Wall told CNN.
“Privacy settings on social media sites just can´t keep up with how fast technology is adapting,”
“As sites get more private, hackers and people who want to get more information will continue to get more sophisticated.”
"What you say and do on social media can be used against you and it can be found.”
In a posting on Photobucket´s corporate blog, CEO Tom Munro reminded users about the risks of fusking, and urged them to take advantage of the company´s scrambling service.
“You may have seen the articles talking about ℠fusking´ or the ability to gain access to private images on Photobucket,” he wrote.
“Protecting your privacy is paramount at Photobucket so we wanted to clarify what that means for those of you unfamiliar with the term and share how you can add a layer of protection.”
“Unless you´ve renamed your photos, your image names likely follow a consistent format, such as IMG_1939.JPG, IMG_1940.JPG, IMG_1941.JPG. If you have a Private album with default photo file names and you share the link to one of the photos in that Private album, it could be possible for someone to guess the link to other photos in that same Private album, since the files have a similar name.”
“If they guess the exact link, they may be able to see that photo even though you never shared the link with them.”
Munro said that while Photobucket monitors suspicious activity to track for possible fuskers, users should utilize the scrambling service for the added protection.
“The easiest way to protect your content is to scramble the links to your photos and videos. Unless you have a need to preserve your original file names, as some of our users do, we recommend that you select this option to scramble both past and future uploads.”
All new accounts will include scrambling as the default setting, he said.