Last week, we explored the story of Randall Charles Tucker, a serial distributed denial of service (DDoS) attacker who targeted the websites of government authorities whom he felt were guilty of unjust behavior. We now report on the story of Brandon Bourret and Athanasios Andrianakis, two men who developed an app that searches through Photobucket users’ private albums in search of nude photos. Brandon Bourret, 39, of Colorado Springs, Colorado, and Athanasios Andrianakis, 26, of Sunnyvale, California, are responsible for creating “Photofucket,” an app that exploits a security vulnerability in Photobucket’s settings to locate sensitive images in users’ photo albums.
The app relies on a security oversight that lets users of the photo storing website to set different privacy levels at the album level, and not at the individual level. According to an article published on Buzzfeed back in 2012, this flaw allows individuals to access a private image if they can guess or retrieve a direct link to the photo. Attackers have exploited this vulnerability in the past by developing “fusking” programs, software which accepts a username and photo album as its input and which then pulls up any images, public or private, that it can find. Bourret and Andrianakis designed their app with fusking in mind. However, they also went so far as to sell passwords and unauthorized access to the protected information, photos and videos they found in Photobucket accounts, according to an indictment filed against them by the U.S. District Court for the District of Colorado. In a statement emailed to PCMag, Photobucket CTO Michael Clark said:
“Photobucket is committed to the security and privacy of its users, their content and user experience. Unfortunately, the defendants were intent on not only victimizing Photobucket and its users, but violating federal criminal statutes between 2012 and 2013 as alleged in the indictment. We will continue to support the government's work and our users through this ongoing criminal investigation."
Between July 2012 and 2014, the two men discussed their exploits via email and received PayPal transfers to fund their app. Authorities have now leveraged this evidence, in addition to customer service messages sent to Photobucket users, to arrest Bourret and Andrianakis and charge them with one count of conspiracy; one count of computer fraud, aid and abet; and two counts of access device fraud. The two men each face a maximum sentence of 20 years in prison and $1 million in fines. As of this writing, the Department of Justice’s investigation into the breach, including which users and photo albums were compromised, is still ongoing.