PhotobucketTwo men in the US are facing up to 15 years in federal prison after they allegedly developed and sold a piece of software that was able to automatically hack into the private online photo albums of women and steal their naked photos.
Brandon Bourret and Athanasios Andrianakis were arrested on May 8 and accused of creating a piece of software named "Photofucket" that looks through private online photo albums on the photo-sharing site Photobucket. They have not yet responded to the charges. The US Department of Justice cautions that "the charges contained in the indictment are allegations and the defendants are presumed innocent unless and until proven guilty."
Lots of people use Photobucket to host personal photographs online. It was acquired by MySpace in 2007 for $250 million, but eventually sold off to a Seattle-based company in 2010. Although it is less popular than it once was, a lot of people still have photos on the site because they used it for MySpace, while others still use it as a handy place to store their photographs online and share them with others.
A giant cache of photos from around the world is an attractive target for hackers. There are plenty of forums online where people buy and sell tools to search through private photos in search of naked women. But most of those tools - like the ones used in a mass release of naked celebrity photos called "the Snappening" - require users to hack each account manually.
Bourret and Andrianakis allegedly developed Photofucket so that it would isolate hidden photographs automatically.
The tool works by "fusking" URLs to expose links to private photos. Fusking is the act of locating a web site or account that you know is on the web, and then guessing URL addresses that branch off it until you find pages that are not supposed to be seen. The tool tries lots of different URLs automatically - by sequentially changing plausible dates or numbers in the original URL - until it discovers links to photos that are on the web but posted in a location that is otherwise private.
Here's what it looks like when you run the tool on someone's account in search of their photos:
Fusking isn't a new exploit, however. In fact, it has been a known security issue for years. BuzzFeed wrote about Photobucket fuskers back in 2012. Photobucket has tried to shut down fuskers by implementing levels of security, which appears to have infuriated the hackers who were trying to find naked photos.
Emails that the Department of Justice claims were sent between Bourret and Andrianakis show a constant fight against the site's increased security:
Developing the hacking software was just the first step, though. To make money off an exploit, hackers need to find a buyer willing to hand over money. Luckily for hacker developers, there are several online forums dedicated to stealing photos of women and sharing advice on how to do it.
One of the most famous forums used by hackers to find porn is called AnonIB. There's a chance you might recognise that name - it's the website where photos of naked celebrities first surfaced after a user named "Originalguy" posted his collection of photographs stolen from Apple's iCloud. That collection quickly spread to the anarchic bulletin board forum 4chan, then to Reddit, and front pages around the world as stars like Jennifer Lawrence and Kate Upton saw their private photographs posted online.
Niche porn forums have discussed Photobucket exploits for years, but Photofucket managed to monetise that interest by automating the process and marketing the software directly to porn forums.
The basic version of the product was available for free, but the developers charged $29.99 for a fully upgraded version that could retrieve passwords and automatically scan user profiles.
Photofucket A post on the "booty shakin'" discussion forum on ShakinItForum.com from 2007 titled, "New photobucket exploit out", is typical of the interest in Photobucket exploits. User "Toxik" explained that the exploit "hasn't been longer than a week. Grants access too all images and videos, including Tos'd [Images deleted for violating the site's terms of use]. If anybody knows anything about it please post here, I will contribute when I find out more."
Other users joined in to the discussion, commenting "any proof? couse i've already heard this story..." so the original poster returns with a link to AnonIB that details the exploit in a specific sub-forum dedicated to finding naked photographs of women on Photobucket.
Photobucket exploits and fusking remain a regular topic of discussion on AnonIB, even after it wiped much of the site following the iCloud hack.
Here's a discussion from January 2015 on AnonIB:
AnonIB
One user posted a photo of a woman and her Photobucket URL, then asked for help in finding her private photographs and movies. A more experienced user fusks the victim's profile by manually trying different URLs in the hope of finding photos. The user explains that "some chicks just keep adding -1-2-3" onto photo URLs, meaning that it's easy for people to guess the links to their private photos.
AnonIB
Someone else on AnonIB suggested trying to reset her password using Google searches to learn her date of birth and email address. Later comments ask for "any wins?" "Wins" is internet slang for naked photographs, which is what hackers are looking for on Photobucket.
The arrest of the pair of alleged developers isn't going to stop people fusking for naked photos. The software is still available online for free, and exploits are still openly discussed on forums. One Wikipedia user warns that the fusking industry has existed for years:
When sites like realwebwhores, navnet, ixtractor, fuskerfind and anonib exist because of photobucket's crap security and millions of unwitting girls are having their images stolen and hidden in rars files on sites like rapidshare I'd call that a "slight" security problem.