A hole in Photobucket's privacy has made it so that private albums can be accessed with little work. This hole has remained open for at least 5 years.

Last Friday night, Wired writer Mat Honan had his Twitter and email accounts broken into, and his phone, computer, and iPad all wiped. His story is frightening as well as sad (he lost important family photos), but it highlights just how possible it is to access some platforms without doing any actual "hacking" — the culprits took advantage of bad security policy and publicly available information to gain control of his accounts. Another service with a gaping security hole that people have been exploiting, hack-free and for at least five years, is Photobucket. Remember Photobucket? Yes? You still have an account on there? You don’t happen to have any……. *squints eyes, looks around* old nudes in there, do you? If so, they might be much more easily found than you thought. Photobucket handles privacy levels differently than other photo sharing services like Flickr or Facebook. Instead of setting a privacy level at the individual photo, you set the privacy level ("Everyone," "Private," or "Password-protected") at the album level. If you select Private or Password-protected for an album, the photos won’t show up in search, and someone browsing your profile wouldn't be able to find them. However, each photo is still accessible via a direct link to its url. This means that if I put photos in a private or password-protected album, I can still send a direct link to an individual photo to my friend, and she won’t need a password to view that photo. If she wants, she can pass along that link to any of her other friends and they can also view over the Photobucket site, no problem, regardless of how I set the privacy level on the album. This is meant to be a feature — in theory, only an album's owner would be able to share the link in the first place, since the only obvious way to find its url in the first place is to have access to its album.

Problem is, the URLs Photobucket uses for these pictures use the photos' actual file names, and file names aren't that hard to guess. For example, if the photo I want to send to Sally is DSC_003.jpg, she can guess that there’s also an DSC_004.jpg in that album. And maybe I don’t want her seeing DSC_004.jpg. Of course, your friends probably aren’t going to sit there and guess every single possible file name. That would be time consuming, and even harder if they hadn’t seen that first file name to give them a hint. That’s where “fusking” programs come — you just enter the username and album name, and the fusking program will run through likely guesses and pull up any images it can find. Who would want to do this? Corporate espionage? The CIA? Your boss? Of course not! It’s all dudes who want to find nudes of that hot girl in their class. Instructional videos on how to download and use fusking programs are open about the fact that they’re looking for girls’ private photos. In one video, the motivation for fusking is clear: Have you ever, like seen a really hot chick on Myspace or something, and she’s got a picture on her front page? Like on her profile that she put it on there with HTML with a Photobucket link, and then you go to the username that’s on the Photobucket link, and you get to the site, and the fricking name is private? It just PISSES you off, you know?