A security flaw in photo booth company Hama Film’s website is exposing customer photos and videos, according to security researcher Zeacer. The vulnerability allows unauthorized access to files uploaded from the company’s booths, raising concerns about data security and privacy. The issue was initially reported in October, but as of Friday, a full resolution hadn’t been implemented, prompting further scrutiny of the company’s practices.
Hama Film operates franchise locations in Australia, the United Arab Emirates, and the United States. Unlike traditional photo booths, these booths upload customer images and videos to the company’s servers, offering a digital copy alongside the printed version. This convenience, however, has created a significant security risk.
The Hama Film Data Exposure Vulnerability
Zeacer discovered that the website lacked adequate security measures to protect these uploaded files. Initially, the researcher observed that photos remained accessible for two to three weeks before being deleted. While the retention period has since been reduced to approximately 24 hours, the core vulnerability persists.
This means a malicious actor could potentially exploit the flaw daily to download all photos and videos currently stored on the server. The researcher shared examples with TechCrunch showing images of groups, including young people, taken at Hama Film booths in Melbourne.
Lack of Response from Vibecast
Hama Film is owned by Vibecast, and Zeacer’s attempts to notify the company about the issue have been unsuccessful. Vibecast has not responded to multiple requests for comment from TechCrunch, nor to a message sent to co-founder Joel Park via LinkedIn. This lack of communication is raising further alarm about the company’s commitment to protecting customer information.
The absence of a response is particularly concerning given the sensitive nature of the exposed data. Photo booth pictures often contain personal information and depict individuals in potentially vulnerable situations. The potential for misuse, including identity theft or harassment, is significant.
The Importance of Rate Limiting
This incident highlights a common, yet critical, security oversight: the lack of rate limiting. Rate limiting is a security measure that restricts the number of requests a user can make to a server within a given timeframe. Without it, automated scripts can be used to rapidly access and download data, as demonstrated in this case.
This isn’t an isolated incident. Last month, TechCrunch reported a similar vulnerability affecting Tyler Technologies, a government contractor. Their websites, used for managing juror information, also lacked rate limiting, allowing attackers to potentially compromise juror profiles by brute-forcing personal details. This pattern suggests a broader need for improved cybersecurity practices across various industries.
Experts emphasize that implementing basic security protocols like rate limiting is a fundamental step in protecting user data. These measures are relatively inexpensive and straightforward to implement, yet they can significantly reduce the risk of data breaches and unauthorized access.
Potential Legal and Reputational Ramifications
The exposure of customer data could have serious legal consequences for Vibecast and Hama Film. Depending on the jurisdiction, the company may be in violation of data privacy regulations, such as GDPR or CCPA, which require organizations to protect personal information.
Beyond legal issues, the incident is likely to damage the company’s reputation. Customers may be hesitant to use Hama Film booths if they fear their photos and videos could be compromised. Restoring trust will require a transparent and proactive response from the company, including a thorough investigation and implementation of robust security measures.
The incident also underscores the growing importance of responsible data handling in the entertainment and leisure sectors. As more businesses collect and store customer data, they must prioritize security to protect against potential breaches and maintain customer confidence.
TechCrunch has chosen to withhold specific details of the vulnerability to prevent further exploitation while Vibecast addresses the issue. The researcher, Zeacer, continues to monitor the situation and has indicated that the problem is not fully resolved.
The next step will be to see if Vibecast responds to the continued reporting and takes concrete action to secure its servers. A reasonable deadline for a full resolution would be within the next week, but the company’s silence to date introduces significant uncertainty. Observers will be watching closely for any announcements regarding a security patch and a notification plan for affected customers.
