- An error on Hama Film’s website exposed photo booth footage from the US, UAE and Australia to anyone who knew where to look
- Researchers looked at more than 1,000 images from stands in Melbourne and say images were available for up to 24 hours
- Even short-term exposure enables identity abuse: fake profiles, fraud, bypassing selfie checks and building synthetic identities
A popular photo booth chain found across the US, United Arab Emirates and Australia was found to store all of its image data on a server that can be (easily) accessed via the device manufacturer’s website, essentially exposing people’s identities to potentially malicious players, experts have warned.
This was told by cyber security researcher alias Zeacer TechCrunch at one point they were able to view more than 1,000 images for Melbourne-based booths.
Zeacer contacted Hama Film to notify it of the vulnerability on its website, but received no response – forcing the researcher to reach out to the media and share a sample of images taken from the company’s servers, which showed groups of clearly young people posing in photo booths.
Thousands of exposed images
While this definitely limits the number of images exposed at any given time, a particularly persistent attacker (or someone who automates their work) can still download all the images passing through the infrastructure.
Once hackers get hold of these images, the potential for abuse multiplies quickly. Clear facial images can be used to create convincing fake social media profiles, which then become weapons for romance scams, investment scams or social engineering attacks.
Cybercriminals can use stolen photos to pass basic identity checks, register for online services or bypass weak “selfie verification” systems. In some cases, they can even be paired with leaked personal data to apply for jobs, open accounts or build synthetic identities.
Even if we ignore the obvious question – why would a photo booth store these photos anywhere in the first place – it’s also worth mentioning that the photos don’t appear to be stored permanently.
Zeacer’s initial investigation determined that the images are deleted every two to three weeks, but later said they are actually removed after 24 hours.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
