Photobucket, that almost-obsolete image hosting site almost no one talks about anymore, became news again last week with a nude-photo privacy-breach scandal related to a long-known-about security problem in how it links to photos. Photobucket says a fix has been available to users for two years, but based on last week's news it's clear the problem is as bad as ever.
Riding the increased interest in security flaws following Wired journalist Mat Honan’s “digital life destroying” hack (which wasn’t really a hack, just an exploitation of Apple and Amazon’s lax security measures), Buzzfeed’s Katie Notopoulis wrote about “fusking:” the practice of using guesswork - often aided by a simple script - to find links to photos that are not supposed to be available to the public. Photos that are fusked, including those of underage girls in various states of undress, end up on 4chan, Notopoulis pointed out.
Fusking isn’t new; it’s been around since 2002 and has typically been used for gaining access to pornography. The practice works by exploiting the fact some sites give their photos simple titles like image01 and image02 and so on. By fusking, someone gains access to the photos just by guessing the URL.
That kind of image titling is an example of security by obfuscation, the idea that if you make something hard to see or don't mention it publicly, then the information is secure. This works in theory until you remember computers are faster than humans at guessing things like URLS, which is precisely where fusking comes in.
“Security by obfuscation isn't necessarily a bad thing,” said Stuart Ross, a Web developer who built DailyDot.com and the San Francisco based start-up Sponsorfied.com. “Having to guess a 25 character hash is difficult even for a computer, but having sequentially numbered file names is easy even for a human and I'd hardly call it security.”
“Photobucket has offered users the option of scrambling URLs for the past two years to help prevent fusking,” wrote David Toner, Photobucket’s Marketing VP when reached for comment.
The first publicly documented incidents of Photobucket fusking happened in 2008, and googling “photobucket fusking” reveals pages of forum posts and tutorials, including YouTube videos by young men ecstatic at having found sexually explicit photos of their female friends.
Tonert declinded to comment on how long the company has known about fusking, but he did write the amount of users being fusked “is a very small percentage of the total user base.”
“Right now, the company is in the process of reminding users again about the option to scramble their URLs to prevent fusking. If users have not scrambled their URL's previously, they can do so in a few easy steps, which are detailed here.”
"While Photobucket has security measures to help protect the information under our control, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. [W]e cannot ensure or warrant that any information you transmit to us will stay safe and secure and you do so at your own risk."
The site's traffic has been falling for years despite its partnership with Twitter. In the image hosting and sharing Web race, Photobucket has unquestionably been crushed by Facebook, which has a much more secure way of storing photographs.
Facebook’s security model (for photographs) is identity based, meaning it requires you to be logged in as a site user and your identity has to be granted permission in order to access that photo. Ross called this “a really good way” of doing security, adding the difficulty for Photobucket to implement something similar isn’t high, “if it is, they probably have larger infrastructure issues.”