Hama Film Photo Booth Flaw Exposes Customer Photos

A significant security vulnerability on the website of photo booth maker Hama Film has been exposing customers' private photos and videos online, a security researcher has revealed. Despite repeated warnings, the flaw, which allows anyone to easily download user content, remains largely unaddressed, raising serious data privacy concerns for users of Hama Film's services.

The vulnerability was first identified by a security researcher known as Zeacer, who reported the issue to Hama Film in October. After receiving no response, Zeacer escalated the matter to TechCrunch in late November, providing evidence of the exposed data. Hama Film, which operates franchises in Australia, the United Arab Emirates, and the United States, has yet to publicly acknowledge or fully resolve the problem.

Zeacer demonstrated the flaw by sharing sample images with TechCrunch, which showed groups of young individuals posing in photo booths. Hama Film's booths not only print physical photos but also upload digital copies to the company's servers, where the security lapse occurs. The simple backend system flaw allows unauthorized access and download of these sensitive customer pictures and videos.

Vibecast, the parent company of Hama Film, has not responded to Zeacer's messages or multiple requests for comment from TechCrunch. Joel Park, co-founder of Vibecast, also did not reply to messages sent via LinkedIn, indicating a lack of communication regarding the critical data exposure.

As of Friday, the researcher confirmed that Hama Film has still not fully resolved the security vulnerability, meaning customer data continues to be at risk. To prevent further exploitation, TechCrunch is withholding specific technical details of the vulnerability from publication. While Zeacer initially observed photos being deleted from servers every two to three weeks, the company appears to have adjusted its retention policy, with pictures now seemingly deleted after 24 hours. However, this change only limits the duration of exposure; a determined attacker could still exploit the vulnerability daily to download all newly uploaded photos and videos.

Prior to the recent retention policy change, Zeacer reported seeing over a thousand pictures online from Hama Film booths in Melbourne alone. This incident serves as another stark reminder of companies failing to implement fundamental and widely accepted security practices, such as rate-limiting. Last month, TechCrunch reported that government contractor Tyler Technologies was involved in a similar vulnerability, where a lack of rate-limiting exposed sensitive personal data in jury management systems across several U.S. states.