Security Flaw in Photo Booth Company’s Website Exposes Customer Images
A significant security vulnerability has been discovered in the website of Hama Film, a company specializing in photo booth services across Australia, the United Arab Emirates, and the United States. This flaw has led to the unintended exposure of customers’ personal photos and videos online.
The issue came to light when a security researcher, known by the pseudonym Zeacer, identified the vulnerability in October. Despite promptly reporting the problem to Hama Film, Zeacer received no response. In late November, he escalated the matter by informing TechCrunch, providing them with samples of the exposed images. These samples depicted groups of young individuals posing in the company’s photo booths.
Hama Film’s photo booths are designed not only to print physical copies of photos but also to upload digital versions to the company’s servers. Due to the identified flaw, these uploaded images became accessible to unauthorized individuals.
Vibecast, the parent company of Hama Film, has remained unresponsive to multiple attempts at contact from both Zeacer and TechCrunch. As of December 12, 2025, the security vulnerability persists, leaving customer data exposed. To prevent potential misuse, specific details of the flaw have been withheld from public disclosure.
Initially, photos stored on Hama Film’s servers were deleted every two to three weeks. However, recent observations indicate that images are now removed after 24 hours. While this reduces the volume of exposed data at any given time, the vulnerability still allows for daily exploitation, enabling unauthorized access to all photos and videos uploaded within a 24-hour window.
This incident underscores the critical importance of implementing robust security measures, such as rate-limiting and secure data storage practices. Similar lapses have been observed in other companies. For instance, in May 2024, TechCrunch reported that Tyler Technologies failed to implement rate-limiting on its websites, allowing unauthorized access to jurors’ personal information. Additionally, in October 2025, event startup Partiful was found not stripping GPS locations from user-uploaded photos, potentially exposing users’ precise locations.
The Hama Film case serves as a stark reminder for companies handling sensitive customer data to prioritize and continually update their cybersecurity protocols to prevent unauthorized access and protect user privacy.
