An unsecured server hosted by the widely used electronic greeting card company JibJab exposed users’ selfies, including those taken by children. The security researcher who discovered the issue, known as “BobDaHacker,” told Straight Arrow News that “millions of users’ faces” may have been left unprotected as a result.
As of October 2024, more than 84 million people had used JibJab. The service allows users to upload photos of their faces or others’ and place them in animated greeting card videos.
Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.
Point phone camera here
The photos, according to BobDaHacker, were left on a public-facing Amazon cloud storage server. Anyone with the server’s address could view or download the images without authorization. BobDaHacker provided SAN with links to numerous selfies, including one that appeared to have been taken by a young child.
Other data exposed on the server included the email addresses of those who’d been sent digital invitations by JibJab users.
Fix delayed
BobDaHacker alerted JibJab to the exposure in an email to CEO Paul Hanges. A screenshot of the correspondence shown to SAN suggests that JibJab had prior knowledge of the issue but had not resolved it.
“We actually are already aware of this and are planning to address it after our busy season,” Hanges wrote, according to the screenshot of an email.
BobDaHacker expressed concern over Hanges’ remark, given the apparent breadth of the exposure and the fact that the fix only required a simple settings change.
A gift card as bounty
Hanges also told BobDaHacker that JibJab doesn’t normally provide bounties to security researchers who alert them to vulnerabilities. Nevertheless, he offered BobDaHacker a lifetime membership to JibJab and a “small Amazon gift card” for his findings.
In the end, BobDaHacker says he was awarded $500. As of Wednesday, the server was no longer publicly accessible.
SAN sent multiple emails to JibJab to inquire about the issue, but did not receive a reply. SAN was unable to confirm exactly how many users were exposed or for how long.
