Over 11 million photos uploaded by Theta camera owners were accidentally left exposed and accessible to practically anybody from an opened database. The database could be accessed without the use of passwords.
The lapse in security protocol was found out by Noam Rotem and Ran Locar who reported the case immediately to Ricoh, the owner of Theta 360-degree cameras which have been available on the market since 2014. Ricoh has sold thousands of the cameras and owners were given access to cloud storage where they can upload and share their photos and videos.
Rotem and Locar found out recently that the cloud database used by camera owners were actually left open. Anyone who has access to the database can access any of the 11 million photos uploaded and stored by camera owners.
This was verified by Techcrunch when Rotem and Locah provided a sample of the data. According to Techcrunch, they were able to easily access photos uploaded to Ricoh’s even if the photos are private or unlisted. All they did was to transplant the unique file identifier found in the database to the cloud storage server’s web address. Even the user’s name and captions of the photos were viewable.
It appears that Ricoh responded very quickly to the news that there was a major leak. Rotem and Locar provided a timeline for the event:
- May 14: They discovered the leak in Theta360’s database
- May 15: They contact Theta360 about the leak
- May 15: Theta360 responds to their team
- May 16: The leak is closed
John Greco, spokesperson for Ricoh did not dispute the researchers’ findings that 11 million photos were openly exposed in the database and confirmed that indeed, these photos were exposed. His company has already corrected the issue hours after it was reported to them.
“We take the security of customer information extremely seriously. It’s important to note that before the resolution, further steps beyond accessing the records would have been necessary and would require a deeper level of expertise to ultimately view the images. Today, private photos are only accessible to those with a direct link, a design feature that is intended to allow customers to share their images.”
According to Ricoh, they take the security of customer information seriously and emphasized that before resolving the issue, it takes several steps before photos in the Ricoh website can be viewed. This requires a deeper level of expertise to do so. But now, private photos can only be accessed by users with a direct link. This is to allow users to share their photos. However, Ricoh decided to pull access to these photos through the direct link to prevent a further breach.
Additionally, Ricoh did not disclose how long their database was left opened and exposed although Shodan, a database for exposed devices and databases, first spotted the Ricoh database to have been exposed on May 9th.