A company that makes photo booths has exposed images and videos from customers quickly to a simple flaw in the website where the files are stored, according to security researchers.
The researcher, who is zeacer, alerted Techcrunch to the security problem in late November after reporting the vulnerability Hama moviefranchised stock photography manufacturer in Australia, ing United Arab Emiratesand United States of Americabut heard no more.
Zeacer shared with TechCrunch a screenshot taken from Hama’s movie server, which clearly shows a group of young people in a photo booth. The HAMA film booth not only prints photos like a typical photo booth, but the booth also uploads customers’ photos to the company’s server.
Vibecast, which owns the pest film, has not responded to a message informing them of the problem. Vibecast also did not respond to multiple requests for comment from TechCrunch, and did not have Vibecast’s co-founder identified for a message sent through LinkedIn.
As of Friday, researchers said the company had not fully resolved the security flaw and continued customer data. As such, TechCrunch is perfecting certain details of the vulnerability of the publication. As such, TechCrunch is perfecting certain details of the vulnerability of the publication.
When ZEECER first discovered this flaw, they noted that the photos were deleted from the maker booth server every two to three weeks.
Currently, he said, images stored on the server appear to be deleted after 24 hours, which limits the number of available images. But hackers can still exploit the vulnerabilities found every day and download the content of every photo and video on the server.
TechCrunch events
San Francisco
I’m fat
October 13-15, 2026
Earlier this week, Zeacer said at one point he saw more than 1,000 images online for the Hama Film Booth in Melbourne.
This incident is the latest example of a company that has, at least recently, not implemented basic and widely accepted security practices, such as limit levels. last month, TechCrunch reports that government contractors are blind ignore the website used to allow the court to manage the personal information of jurors. This means that anyone can crack a Juror’s profile by running a computer script that can crowdsource their birth dates and easily guessed identifiers.