A photo booth maker’s website with just a handful of lines of code left thousands of images and videos accessible to the internet, including snaps of drunken revellers on nights out and intimate moments. And the security lapse, which was related to the way in which the site stored and served media, enabled anyone who knew where to look to download entire galleries without even having to log in.
The researcher, who goes by Zeacer, said the company had recently reduced the retention of files online from an average of two to three weeks to around 24 hours. That cut decreases the overall amount of content visible at any given time but does nothing to stop a malefactor from scraping all uploads for the day and then repeating that task every day. At one stage, prior to the retention change, over 1,000 images were viewable from a photo booth service operating in Melbourne, he said.
- What the researcher found about the insecure media URLs
- Why the website bug matters for user privacy and safety
- How these access control bugs happen in photo booth apps
- Regulatory and legal stakes for data exposure incidents
- What customers and event hosts can do to reduce the risk now
- A familiar pattern in event tech security and web app design
What the researcher found about the insecure media URLs
According to a review shared with this publication, the site’s media endpoint served files over predictable URLs and failed to adequately password-protect them at all times. That resulted in a good, old-fashioned enumeration problem: by incrementing or using simple pattern logic, a script could pull every photo and video ever uploaded to the server.
This is the sort of thing that security pros refer to as broken access control or insecure direct object reference. OWASP rates broken access control as the number one risk of web applications, and for good reason: it’s easy to overlook when developing a product, but incredibly powerful if abused.
Why the website bug matters for user privacy and safety
Event photo booths record extremely personal moments — weddings, office parties and product launches. These pictures can expose children, home addresses on badges or sensitive affiliations that are visible on lanyards and backdrops. And even if galleries are cycled off the server within a day, scraped copies remain on an attacker’s machine forever.
The losses to investments from this exposure can be significant. The new IBM Cost of a Data Breach Report puts the global average costs of breaches in the multi-millions — including related response, customer notification and legal exposure. The reputational damage for a consumer-facing brand — especially one predicated on “shareable moments” — may be even more difficult to calculate.
How these access control bugs happen in photo booth apps
Many event-tech vendors depend on swift, cloud-based galleries to send files to clients’ phones within seconds. The siren song of public object storage, small URL path patterns, or client-side-only checks may lure teams to cut corners. And without server-side permission gates (signed URLs, rotating tokens or unguessable IDs) these galleries can be enumerated at scale.
Defenses are well known:
- Private-by-default storage
- Time-limited and audience-restricted links
- Randomized IDs
- Rate limiting
- Continuous logging to prevent unusual download bursts
A thorough security pre-production review and regular penetration testing often catch these before they make it into production.
Regulatory and legal stakes for data exposure incidents
There may be multiple privacy regimes that could apply, depending on where the booth is placed and who is pictured. In Australia, the Office of the Australian Information Commissioner requires businesses to be proactive in securing data and disclosing eligible data leaks. In the EU and UK, GDPR mandates data protection by design, and fines of up to 4% of global annual turnover for serious breaches.
One question is whether the vendor is a service provider to event hosts (a processor) or it serves consumers itself (as a controller). Either way, minimizing retention and locking down access are basic expectations — especially for media that depicts identifiable people.
What customers and event hosts can do to reduce the risk now
Those who made use of photo booths within the last month should work on the assumption that images potentially could have been accessed while they were in use, and should reach out to their vendor to tell them whether or not photos need to be deleted.
Practical steps for customers:
- Set galleries to private, if possible.
- Turn off public sharing options.
- Request that vendors delete galleries permanently through support channels.
- Don’t upload scans of IDs, addresses or other sensitive information to event galleries.
Event organizers should push suppliers for details:
- How long are files kept?
- Are links signed and time-limited?
- Are IDs random and unguessable?
- Is storage private by default?
- What third-party audits back those claims (like SOC 2 or ISO 27001)?
Contracts must include specific data processing terms, breach notification responsibilities and a right to security review.
A familiar pattern in event tech security and web app design
The photo booth episode is representative of a trend in consumer media apps and event agencies, where breakneck growth outstrips security hardening. The newest Data Breach Investigations Report reinforces web app abuse and access control deficiencies as top reasons for data loss. These are problems that can easily be prevented — and they seldom demand exotic solutions.
For now, the vendor’s choice to shrink retention of such recordings limits how much is exposed at any one time, but it does not replace good authentication and authorization. And as long as galleries remain leaky sieves, there is a risk that an enterprising scraper can make moments meant for friends and family into a public archive.
