A photo booth company is exposing its customers’ photos and videos online thanks to a simple flaw in its website where the files are stored, according to a security researcher.
The researcher, who goes by Zeacer, alerted TechCrunch to the security issue in late November after reporting the vulnerability in October to Hama Filmthe photo booth manufacturer that has a franchise presence in Australia, the United Arab Emiratesand the United Statesbut he didn’t hear back.
Zeacer shared with TechCrunch a sample of photos taken from Hama Film’s servers, which showed groups of clearly young people posing in photo booths. Hama Film booths not only print photos like a standard photo booth, but the booths also upload customers’ photos to the company’s servers.
Vibecast, which owns Hama Film, has yet to respond to his messages alerting the company to the issues. Vibecast also did not respond to multiple requests for comment from TechCrunch, nor did Vibecast co-founder Joel Park respond to a message we sent via LinkedIn.
As of Friday, the researcher said the company has yet to fully address the security flaw and continues to expose customer data. As such, TechCrunch is withholding specific details about the vulnerability from publication.
When Zeacer first discovered this flaw, he noted that photos appeared to be deleted from the camera maker’s servers every two to three weeks.
Now, he said, images stored on the servers appear to be deleted after 24 hours, which limits the number of images on display at any one time. However, a hacker could exploit the vulnerability discovered every day and download the content of every photo and video on the server.
Techcrunch event
San Francisco
|
13-15 October 2026
Before this week, Zeacer said at one point he saw more than 1,000 photos online of the Hama Film kiosks in Melbourne.
This incident is the latest example of a company that, at least for a time, did not implement some basic and widely accepted security practices, such as rate capping. Last month, TechCrunch reported that government contractor giant Tyler Technologies was not restricting its websites used to allow courts to manage the personal information of their jurors. This meant that anyone could hack into any juror’s profile by running a computer script capable of mass-guessing their date of birth and easy-to-guess their numeric ID.
