- A flaw in Hama Film’s website exposed photo‑booth images from the US, UAE, and Australia to anyone who knew where to look
- Researchers saw 1,000+ images from Melbourne booths, and says photos were accessible for up to 24 hours
- Even short‑term exposure enables identity abuse: fake profiles, scams, bypassing selfie checks, and building synthetic identities
A popular photo booth chain found across the US, UAE, and Australia was found to store all its image data on a server which can (easily) be accessed through the website of the device manufacturer, essentially exposing people’s identities to potentially malicious players, experts have warned.
Cybersecurity researcher alias Zeacer told TechCrunch that one point, they were able to view more than 1,000 pictures for Melbourne-based booths.
Zeacer reached out to Hama Film to notify it of the vulnerability in its website, but received no response – forcing the researcher to reached out to the media, sharing a sample of pictures taken from the company’s servers which showed groups of clearly young people posing in photo booths.
A thousand exposed photos
While this definitely limits the number of pictures exposed at a given moment, a particularly persistent attacker (or one that automates their work) could still download all of the photos passing through the infrastructure.
Once hackers obtain these photos, the abuse potential multiplies fast. Clear facial images can be used to create convincing fake social media profiles, which are then weaponized for romance scams, investment fraud, or social engineering attacks.
Cybercriminals can use stolen photos to pass basic identity checks, register for online services, or bypass weak “selfie verification” systems. In some cases, they can even be paired with leaked personal data to apply for jobs, open accounts, or build synthetic identities.
Even if we ignore the obvious question – why would a photo booth store these pictures anywhere in the first place – it is also worth mentioning that the images don’t appear to be stored permanently.
Zeacer’s initial investigation determined that the photos get deleted every two to three weeks, but later said they actually get removed after 24 hours.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Add Comment