Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos

Posted by Soulskill on Tuesday May 12, 2015 @10:47AM from the locking-the-door-without-closing-it dept.

fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for weddings or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and discusses the things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows other articles on Slashdot discussing security disclosure. How do you report vulnerabilities to vendors? Do you support publishing them if they are not fixed in a reasonable time?

2 of 94 comments (clear)

Min score:

Reason:

Sort:

Careful by phantomfive · 2015-05-12 10:51 · Score: 5, Informative

Be careful when using this vulnerability......depending on your purpose in using it, you could be literally committing a crime. If you download the images by modifying the URL.......people have gone to jail for that.

--
"First they came for the slanderers and i said nothing."
1. Re:Careful by phantomfive · 2015-05-12 11:18 · Score: 5, Informative
  
  I think you're trolling, but this guy went to jail for running almost the exact same script as is found in the article. This guy didn't even have malicious intent when he modified the URL, and he was still convicted.
  
  --
  "First they came for the slanderers and i said nothing."