A significant privacy vulnerability has been discovered in a multinational photo booth company’s digital infrastructure, potentially exposing thousands of customer images without their knowledge or consent. Security researcher known as Zeacer identified the flaw in Hama Film’s servers, where customer photos taken in their booths are automatically uploaded and stored.
The researcher reported this concerning discovery to TechCrunch in November after Hama Film and its parent company Vibecast failed to respond to multiple security notifications. The vulnerability remains partially unresolved as of publication time.
The Scope of the Exposure
Hama Film operates photo booth franchises across multiple countries including Australia, the United Arab Emirates, and the United States. Unlike traditional photo booths that simply print physical copies, these modern booths upload digital versions to company servers, creating a repository of customer images that became accessible due to the security flaw.
Evidence shared with TechCrunch included photos of what appeared to be minors posing in the company’s booths, raising serious privacy concerns, especially regarding underage customers. At one point, the researcher observed more than 1,000 images from Melbourne locations alone accessible through the vulnerability.
Technical Details and Company Response
While specific details about the vulnerability have been withheld to prevent exploitation, the issue appears to stem from inadequate security protocols on the company’s web servers where customer media is stored. The researcher noted the absence of basic security measures such as rate-limiting, which could have prevented unauthorized bulk access to stored content.
Despite multiple attempts to contact Hama Film, Vibecast, and co-founder Joel Park through various channels including LinkedIn, the companies have remained unresponsive to both the researcher and TechCrunch’s inquiries. This silence persists even as customer data remains at risk.
Partial Mitigation Without Resolution
The researcher observed that when first discovered, photos appeared to remain on the company’s servers for two to three weeks before deletion. More recently, this retention period seems to have been reduced to approximately 24 hours, which somewhat limits the volume of exposed content at any given moment.
However, this adjustment fails to address the core vulnerability. According to Zeacer, a malicious actor could still exploit the security flaw daily to systematically download all new photos and videos uploaded to the server within each 24-hour window, creating a persistent privacy breach despite the shorter retention period.
Industry Context and Similar Incidents
This incident represents a troubling pattern in commercial digital services that collect customer data without implementing adequate security measures. A similar case emerged last month when TechCrunch reported that government contractor Tyler Technologies had failed to implement rate-limiting on websites managing juror information, allowing potential access to personal data through simple brute force methods.
These cases highlight how even basic security practices like rate-limiting and access controls are sometimes overlooked by companies handling sensitive customer information. The photo booth vulnerability is particularly concerning as it involves images of people, including minors, captured during what customers would reasonably expect to be private, fun experiences.
Consumer Privacy Implications
For consumers, this incident serves as a reminder that digital services—even seemingly innocuous ones like photo booths—may expose personal data in unexpected ways. When using any service that captures personal images or information, consumers should consider:
- Whether the service clearly explains where data is stored
- How long data is retained
- What security measures protect that data
- How to request removal of personal information
As of the latest update, the security vulnerability in Hama Film’s systems has not been fully addressed, leaving an unknown number of customer photos potentially exposed each day despite the researcher’s repeated attempts to alert the company to the problem.