Unsecured JibJab server exposed users’ selfies, including children

An unsecured server hosted by the widely used electronic greeting card company JibJab exposed users’ selfies, including those taken by children. The security researcher who discovered the issue, known as “BobDaHacker,” told Straight Arrow News that “millions of users’ faces” may have been left unprotected as a result.

As of October 2024, more than 84 million people had used JibJab. The service allows users to upload photos of their faces or others’ and place them in animated greeting card videos.

The photos, according to BobDaHacker, were left on a public-facing Amazon cloud storage server. Anyone with the server’s address could view or download the images without authorization. BobDaHacker provided SAN with links to numerous selfies, including one that appeared to have been taken by a young child.

Other data exposed on the server included the email addresses of those who’d been sent digital invitations by JibJab users.

Fix delayed

BobDaHacker alerted JibJab to the exposure in an email to CEO Paul Hanges. A screenshot of the correspondence shown to SAN suggests that JibJab had prior knowledge of the issue but had not resolved it.

“We actually are already aware of this and are planning to address it after our busy season,” Hanges wrote, according to the screenshot of an email.

BobDaHacker expressed concern over Hanges’ remark, given the apparent breadth of the exposure and the fact that the fix only required a simple settings change.

A gift card as bounty

Hanges also told BobDaHacker that JibJab doesn’t normally provide bounties to security researchers who alert them to vulnerabilities. Nevertheless, he offered BobDaHacker a lifetime membership to JibJab and a “small Amazon gift card” for his findings.

In the end, BobDaHacker says he was awarded $500. As of Wednesday, the server was no longer publicly accessible.

SAN sent multiple emails to JibJab to inquire about the issue, but did not receive a reply. SAN was unable to confirm exactly how many users were exposed or for how long. 

The post Unsecured JibJab server exposed users’ selfies, including children appeared first on Straight Arrow News.

Ella Rae Greene, Editor In Chief

Ella Greene

Ella and the staff at Clear Media Project (CMP) curate these articles.
Unless otherwise noted CMP does not write these articles.
The views, thoughts, and opinions expressed in the articles published on this blog belong solely to the original authors and do not necessarily reflect the views of the blog owner. The blog owner does not claim ownership of the content shared by contributors and is not responsible for any inaccuracies, errors, or omissions.

All rights and credits goes to its rightful owners. No Copyright Infringement is intended. If you believe any content infringes on your rights, please contact us for review and potential removal.

See author's posts