| Replies
|
|
|
helpfulanon
|
Posted at 6:34 pm on Mar. 26, 2009 |
| I can do it.
helpfulanon@gmail.com for more info. |
|
|
Narfle the Garthok
|
Posted at 11:11 am on Aug. 20, 2008 |
Quote: from fouad at 11:06 am on Aug. 20, 2008
 Photobucket Allows Public Access To Private Photos I got an email from Ryan N today describing a huge privacy leak in Photobucket - allowing anyone to look at anyone else's private photos. Photobucket protects photos normally by password protecting them. However, as Ryan found, a username/password is not the only way to access the photos: Here's a random livejournal user's "bucket"
http://img.photobucket.com/albums/v462/glass0rthodoxy/
as you can see it requires a login.
replace the subdomain with 'pb5′ voila, you're in:
http://pb5.photobucket.com/albums/v462/glass0rthodoxy/ As you can see, simply by looking at the exact same directory on another hostname allows you complete access to the user's private photos. Allowing indexing is not always a bad thing - sometimes it's a huge convenience. Other times it's a huge privacy leak that can cause people a lot of trouble and pain. Who knows what private photos people store there? This is a great example of why you can't think about applications the same way browsers do (same domain policy). Other servers can provide equal or better opportunity for exploitation and data leakage if they are somehow tied together. It's best to explore all options when doing penetration testing. Nice find, Ryan!
source:http://ha.ckers.org/blog/20070713/photobucket-allows-public-access-to-private-photos/ 
That was patched ages ago. |
|
|
Fouad
|
Posted at 11:06 am on Aug. 20, 2008 |
| Photobucket Allows Public Access To Private Photos I got an email from Ryan N today describing a huge privacy leak in Photobucket - allowing anyone to look at anyone else's private photos. Photobucket protects photos normally by password protecting them. However, as Ryan found, a username/password is not the only way to access the photos: Here's a random livejournal user's "bucket"
http://img.photobucket.com/albums/v462/glass0rthodoxy/
as you can see it requires a login.
replace the subdomain with 'pb5′ voila, you're in:
http://pb5.photobucket.com/albums/v462/glass0rthodoxy/ As you can see, simply by looking at the exact same directory on another hostname allows you complete access to the user's private photos. Allowing indexing is not always a bad thing - sometimes it's a huge convenience. Other times it's a huge privacy leak that can cause people a lot of trouble and pain. Who knows what private photos people store there? This is a great example of why you can't think about applications the same way browsers do (same domain policy). Other servers can provide equal or better opportunity for exploitation and data leakage if they are somehow tied together. It's best to explore all options when doing penetration testing. Nice find, Ryan!
source:http://ha.ckers.org/blog/20070713/photobucket-allows-public-access-to-private-photos/ |
|
|
hawtshawty
|
Posted at 10:59 am on Aug. 20, 2008 |
I NEED TO KNOW HOW
TO VIEW A PRIVATE PHOTOBUCKET
TO GET BACK AT THE DUDE THAT DID THAT 2 ME PLZZZ SUM 1 TELL ME
HOW PM ME |
|
|
Stand Up
|
Posted at 10:52 am on Aug. 20, 2008 |
Quote: from hawtshawty at 1:41 pm on Aug. 20, 2008
Quote: from iJeannie at 10:41 am on Aug. 20, 2008
There's a way. =/ But It's like with a program and all. Are you sure it's private?
yeah its private i double checked and everything this sux
UH nuh. Did you had bad pictures? =/ Better start deleting.  btw, maybe you had a easy guest password and that's how he logged in. Check it out in your account options! |
|
|
Stand Up
|
Posted at 10:51 am on Aug. 20, 2008 |
Quote: from Pardon my French at 1:43 pm on Aug. 20, 2008
Quote: from iJeannie at 10:41 am on Aug. 20, 2008
There's a way. =/ But It's like with a program and all. Are you sure it's private?
A program you say... sounds technical. You sound like you know all about it. I think you are a smart girl because you know about, like, programs and stuff. Maybe could you hack my ex-girlfriends email? I tried but the password is really tough. I'm sure that with, like, a program, it would be really easy for a computer genius such as yourself to figure out.
Hey. Your so nice.  Srsly they had a video of how to do it but It was removed from youtube. I can't remember now. I asked about this a while ago, there's was a topic.. But It got fucked with the bug. You sound like an awesome exboyfriend btw.
|
|
|
Narfle the Garthok
|
Posted at 10:44 am on Aug. 20, 2008 |
| Post from this position was omitted due to content violations |
|
|
Pardon my French
|
Posted at 10:43 am on Aug. 20, 2008 |
Quote: from iJeannie at 10:41 am on Aug. 20, 2008
There's a way. =/ But It's like with a program and all. Are you sure it's private?
A program you say... sounds technical. You sound like you know all about it. I think you are a smart girl because you know about, like, programs and stuff. Maybe could you hack my ex-girlfriends email? I tried but the password is really tough. I'm sure that with, like, a program, it would be really easy for a computer genius such as yourself to figure out. |
|
|
hawtshawty
|
Posted at 10:41 am on Aug. 20, 2008 |
Quote: from iJeannie at 10:41 am on Aug. 20, 2008
There's a way. =/ But It's like with a program and all. Are you sure it's private?
yeah its private i double checked and everything this sux |
|
|
Praise the Lard
|
Posted at 10:41 am on Aug. 20, 2008 |
| if it's on the internet it can be access by anyone theoretically |
|
|
itbeme
|
Posted at 10:41 am on Aug. 20, 2008 |
| i dont think there's a way, maybe he found out your password? |
|
|
Stand Up
|
Posted at 10:41 am on Aug. 20, 2008 |
| There's a way. =/ But It's like with a program and all. Are you sure it's private? |
|
|
Seani
|
Posted at 10:40 am on Aug. 20, 2008 |
| There's ways around everything. |
|
|
All 13 previous replies displayed. |
649 users online 
225167 members 
You have 1 new message.
