Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Photobucket are not cleaning up their act

May 12th 2008 in Uncategorized

Photobucket has been mentioned several times on this blog because of malvertizements appearing on the site.  The most recent outbreak is proving to be problematic, to say the least.

Photobucket have been advised several times that there are malvertizements appearing on the web site.  Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements.  Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the “advertising team”.

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site?

This is the Lady Speedstick malvertizement appearing on photobucket.com:

Screenshot in situ:

This is the Tokyo Drift malvertizement appearing on photobucket.com:

Screenshot in situ:

Kimberley wrote about the malvertizements at photobucket several days ago, and reported the problem to photobucket on 8 May:

Kimberley reports on photobucket.com again on 10 May…

And again here, just under 10 hours ago:

rlslog.net were able to get rid of the malvertizements reported to them.  mininova.org were able to get rid of the malvertizements that were reported to them.  Why is it so hard for photobucket.com to clean up *their* act???

I have no choice but to recommend that nobody should visit photobucket.com unless they have software in place that will prevent any advertisements on that site from being displayed on their computer.  This advice stands unless and until the malvertizements are removed AND photobucket.com can reassure us that:

  1. Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and

  2. Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately. 

I have always said that I do not support such wholesale blocking of advertisements, because I have always held to the view that every person deserves to earn an income but in this case, because the malvertizements are still appearing despite our best efforts and despite several days having passed, I must recommend that visitors to the site protect themselves, even if it means that photobucket loses income, and all advertisers (legitimate and fraudulent alike) receive zero value from photobucket.com


9 comments to...
“Photobucket are not cleaning up their act”


It’s happening again with Photobucket. We’ve posted your instructions to use Fiddler to get a network capture, but since Photobucket isn’t cooperative about removing the ads, we’ve also posted instructions on using a HOSTS file or the flash blocking feature in SpywareBlaster.


Can I have the URL for the chat where the Fiddler advice is given? I’ll see what I can do about tracking down the malvertizement.


It was a nice host to show your images online, so sorry they get greedy.
I would move all my images but they’re a lot and my account is 2 years old, luckly I use Firefox with a script blocker.
Thx for the info, sandi.


@ Mary who says

“luckly [sic] I use Firefox with a script blocker”

I take a broader view than whether or not I, personally, am protected. My concern is, dare I say it, the greater good. If you can use Fiddler, IE and the standard protocols described on this blog to help us capture evidence proving which advertisement(s) are causing the browser hijack, then you will be doing great good.



Why do I feel that you took my Firefox comment in a criticism way? I wasn’t attacking you. Is well known that if you use a buggy browser to surf the web, you will get infect sooner or later. There are others options, safer and more reliable than IE, i.e. Firefox, Opera, Konqueror(GNU/Linux), etc.

Unfortunately my knowledges about internet protocols are weak right now, otherwise I would be more than happy collaborating with Bluetack.

Oh! And sorry about my english, I am from Argentina, english is not my homeland language, but there.. I give you the i that is missing in the word luckly.

This said, keep doing the greater good.



I did not take your comments as a personal criticism :o)

In fact, your comments about IE would have received no argument from me, back in the days of IE5 and even IE6.  Those who know me well know that I promoted, and advertised, alternative web browsers on inetexplorer.mvps.org and I still recommend non-Microsoft products if I consider it appropriate – for example, I don’t tell people to “get Linux” without reassuring myself that they are technically capable.. and I don’t recommend alternative web browsers if their favorite web sites will not work with IE.

I am tired of IE7 and IE8 being spoken of in the same way as IE5 and IE6, and I am tired of Firefox, Opera, Konqueror etc being held up as some sort of security panacea – they are not.

I am tired of the Firefox and Linux fanboys posting personally abusive comments – comments that do not get approved for publication but which I still see – for what it’s worth, the Microsoft fanbase is not known for such abusive behaviour – I wish the same could be said of the vocal fans of Firefox, Linux and Apple.

You do not need to collaborate with Bluetack or have any especial skills to get the information that we need to track down the problem at Photobucket and get it shut down.  All you need to do is install Fiddler on a Windows machine, fire up IE, use Fiddler to capture evidence of a redirect or malicious behaviour, save all sessions as a SAZ file and then send it to me – I can take care of the rest.

I prefer Fiddler because, unlike products such as Wireshark or Microsoft Network Monitor, it does not capture potentially personally sensitive information (such as email usernames and passwords that might be transmitted using an email client) because it captures *only* HTTP traffic.  Fiddler can decrypt HTTPS traffic, but I have never asked anybody to enable that option.

I am sure that I am not wrong in assuming that you have access to a Windows machine and Internet Explorer and that you use them regularly and can therefore do what I ask – after all, you wouldn’t make judgments about IE and Windows, or compare IE and Windows to Firefox/Opera and Linux unless you were very familiar with the latest versions of the Microsoft products, would you…  after all, I can honestly say that I use, on a daily basis, the latest versions of IE *and* Firefox *and* Opera and (shudder) even Safari.  I even experiment with lesser known browsers such as Deepnet and Kopassa.  This is because I have always said that I cannot provide a balanced opinion unless I am familar not only with Microsoft products, but with the competition.



Sandi, you have mail. It’s not only Photobucket, MSN groups are hosting them as well, along with the clipboard exploit. I’ve sent details to you.


Hi JudyC,

I have not received anything. Can you contact me using the Contact link below, and I will send you anemail address:




I believe that is the form I used to contact you, but I have just resent the information. Again, it indicated that it had been sent.

Several comments have been posted to my blog recently about a malvertizement problem at mininova.org:
Anyway, I went looking and found a thread that claimed the malvertizements had been identified and removed on 5 May so I didn’t take things any further (a decision which may have been a mistake)http://forum.mininova.org/index.php?showtopic=235009007
Kimberley has now identified a malvertizement on […]

Previous Entry

I am pleased to advise that one of the malvertizements that was appearing at photobucket.com, being the Tokyo Drift malvertizement being distrubted via adbureau.net, has been removed from circulation.
As far as I know, the other malvertizements, hosted by atlas-ads.com, may still be in circulation.
The malvertizements are gone because we alerted adbureau.net to the problem.  I […]

Next Entry