A security lapse in the website of international photo booth operator Hama Film has left customers’ pictures and videos publicly accessible online, according to findings shared by an independent researcher. The flaw exposes media files uploaded from photo booths across Australia, the United Arab Emirates, and the United States, raising concerns about the company’s handling of user data and its broader cybersecurity practices.
The researcher, known as Zeacer, discovered the vulnerability in October and promptly notified Hama Film. Despite multiple attempts, the company did not respond. After weeks without acknowledgment, the researcher alerted TechCrunch in late November, providing examples of exposed images to demonstrate the severity of the issue. The sample files included photos of young people posing inside the company’s booths—images that should have been accessible only to the customers who created them.
Hama Film’s booths do more than print traditional photo strips. The machines automatically upload captured images and videos to the company’s servers, enabling access through digital links. However, this upload process appears to rely on weak, insufficiently protected endpoints, leaving content vulnerable to unauthorized access.
Hama Film’s parent company, Vibecast, has also remained silent. The company did not respond to the researcher’s private warnings or multiple requests for comment from journalists. Vibecast co-founder Joel Park similarly declined to address concerns when contacted via LinkedIn.
As of the end of the week, the flaw remained unpatched. To prevent further exploitation, specific technical details are being withheld from public release.
Initially, images appeared to be stored on the servers for two to three weeks before deletion. More recently, the retention period was shortened to 24 hours, reducing the volume of exposed content but failing to eliminate the core vulnerability. According to the researcher, a malicious actor could still automate the process of downloading every image and video uploaded each day.
At one point, more than 1,000 photos from Hama Film’s Melbourne booths were visible online.
This incident adds to a growing list of companies lacking fundamental cybersecurity safeguards. It follows last month’s revelation that Tyler Technologies, a major U.S. government contractor, failed to implement basic rate-limiting on court websites—leaving juror profiles vulnerable to brute-force attacks.
The Hama Film case underscores an uncomfortable reality: even companies handling sensitive, personal, and often private images continue to overlook essential protections, exposing customers to risks that stronger security practices could easily prevent.
