**Photo Booth Vendor’s Security Flaw Exposed Thousands of Private Images and Videos**
A security researcher, known as Zeacer, uncovered a critical vulnerability in a photo booth vendor’s website that left thousands of images and videos—including intimate moments and drunken party snapshots—publicly accessible without authentication. The flaw stemmed from insecure direct object references, where media files were served via predictable URLs, allowing attackers to enumerate and download entire galleries using simple scripts.
The company had recently reduced file retention from two to three weeks to just 24 hours, limiting the volume of exposed content at any given time. However, this change did not prevent attackers from scraping daily uploads. At one point, over 1,000 images from a Melbourne-based photo booth service were visible, highlighting the scale of the risk.
The incident underscores the dangers of broken access control, ranked by OWASP as the top web application security risk. Event photo booths often capture highly personal moments—weddings, corporate events, and private gatherings—where sensitive details like home addresses, children’s faces, or organizational affiliations may be inadvertently exposed. Even with short retention periods, scraped data remains permanently accessible to attackers.
The financial and reputational consequences of such breaches can be severe. IBM’s Cost of a Data Breach Report estimates global breach costs in the multi-millions, while consumer-facing brands built on "shareable moments" face lasting reputational harm. The flaw likely resulted from common shortcuts in event-tech development, such as public object storage, client-side-only checks, and predictable URL patterns—issues that could have been mitigated with server-side protections like signed URLs, randomized IDs, and rate limiting.
Regulatory risks also loom large. Under Australia’s privacy laws, businesses must proactively secure data and disclose breaches, while GDPR in the EU and UK imposes fines of up to 4% of global turnover for serious violations. The vendor’s role—as either a data processor or controller—determines specific compliance obligations, but minimizing retention and enforcing strict access controls are baseline requirements.
Customers who used affected photo booths in the past month should assume potential exposure and request gallery deletions from vendors. Event organizers are advised to demand transparency from suppliers, including details on file retention, link security, and third-party audits like SOC 2 or ISO 27001. Contracts should explicitly address data processing terms and breach notification responsibilities.
The incident reflects a broader trend in event tech, where rapid growth often outpaces security hardening. As web app vulnerabilities remain a leading cause of data breaches, basic safeguards—such as private-by-default storage and continuous logging—can prevent such exposures without requiring complex solutions. While the vendor’s retention reduction limits immediate risk, it does not replace proper authentication and authorization, leaving galleries vulnerable to persistent scraping.
Source: https://www.findarticles.com/photo-booth-website-bug-exposed-thousands-of-users-photos/
Photobooth Supply Co cybersecurity rating report: https://www.rankiteo.com/company/photoboothsupplyco
"id": "PHO1765565027",
"linkid": "photoboothsupplyco",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands of individuals, '
'including event attendees '
'(e.g., weddings, office '
'parties, product launches)',
'industry': 'Event Technology',
'type': 'Photo Booth Vendor'}],
'attack_vector': 'Insecure Direct Object Reference (IDOR)',
'customer_advisories': ['Set galleries to private if possible.',
'Turn off public sharing options.',
'Request permanent deletion of galleries through '
'vendor support.',
'Avoid uploading sensitive information (e.g., IDs, '
'addresses) to event galleries.'],
'data_breach': {'data_exfiltration': 'Possible via scraping scripts',
'file_types_exposed': ['Images', 'Videos'],
'number_of_records_exposed': 'Over 1,000 images at one stage '
'(prior to retention change)',
'personally_identifiable_information': 'Yes (e.g., home '
'addresses, '
'affiliations, '
'children)',
'sensitivity_of_data': 'High (personal moments, identifiable '
'individuals, potential PII)',
'type_of_data_compromised': ['Images', 'Videos']},
'description': 'A photo booth maker’s website with insecure media storage '
'left thousands of images and videos accessible to the '
'internet, including snaps of drunken revellers and intimate '
'moments. The security lapse allowed unauthorized downloads of '
'entire galleries without authentication due to predictable '
'URLs and broken access control.',
'impact': {'brand_reputation_impact': 'Significant reputational damage, '
'especially for a consumer-facing brand '
"predicated on 'shareable moments'",
'data_compromised': 'Thousands of images and videos, including '
'personal and sensitive moments',
'identity_theft_risk': 'Exposure of personally identifiable '
'information (e.g., home addresses, '
'affiliations)',
'legal_liabilities': 'Potential regulatory fines under GDPR, '
'Australian Privacy Act, and other privacy '
'laws',
'systems_affected': 'Photo booth website media storage and serving '
'endpoint'},
'lessons_learned': 'Broken access control and insecure direct object '
'references are critical vulnerabilities that can lead to '
'large-scale data exposure. Security measures like '
'private-by-default storage, time-limited links, '
'randomized IDs, and server-side permission gates are '
'essential to prevent such incidents.',
'post_incident_analysis': {'corrective_actions': ['Implement server-side '
'permission gates (e.g., '
'signed URLs, rotating '
'tokens).',
'Adopt randomized, '
'unguessable IDs for media '
'files.',
'Enforce private-by-default '
'storage.',
'Conduct security '
'pre-production reviews and '
'regular penetration '
'testing.'],
'root_causes': ['Predictable media URLs enabling '
'enumeration.',
'Lack of server-side '
'authentication and authorization.',
'Insecure direct object reference '
'(IDOR) vulnerability.',
'Over-reliance on client-side '
'checks for access control.']},
'recommendations': ['Implement private-by-default storage for media files.',
'Use time-limited and audience-restricted links with '
'signed URLs or rotating tokens.',
'Adopt randomized, unguessable IDs for media files.',
'Enforce rate limiting to prevent unusual download '
'bursts.',
'Conduct regular penetration testing and security '
'reviews.',
'Minimize data retention periods.',
'Ensure compliance with privacy regulations (e.g., GDPR, '
'Australian Privacy Act).',
'Educate customers and event hosts on secure usage '
'practices.'],
'references': [{'source': 'Researcher Zeacer'}],
'regulatory_compliance': {'regulations_violated': ['GDPR',
'Australian Privacy Act',
'Potential other regional '
'privacy laws']},
'response': {'containment_measures': 'Reduced file retention period from 2-3 '
'weeks to ~24 hours'},
'title': "Photo Booth Maker's Website Exposes Thousands of Images and Videos "
'Due to Insecure Access Control',
'type': 'Data Exposure',
'vulnerability_exploited': 'Broken Access Control (OWASP Top 10)'}