\u26a0\ufe0f Disclaimer: The image below (blurred for privacy) shows watermarked preview photos. I did not access or download photos belonging to others. My actions were limited to my own account<\/p>\n<\/blockquote>\n\n\n\n The concept of the web app is simple: after a photo session, you’re given access to an online portfolio. From there, you can select a set number of photos to download\u2014based on your studio package\u2014or purchase additional digital copies or physical prints. But here\u2019s the catch: a single high-res digital copy costs \u20ac35. That\u2019s steep, especially when you consider you could print them yourself elsewhere for much cheaper\u2014if<\/strong> you had access to the original files. That\u2019s where I started digging.<\/p>\n\n\n\n Each user’s portfolio is accessed via a URL that includes a portfolio ID and a 4-digit token for \u201cprotection.\u201d Out of curiosity, I typed Since I was only interested in my own files, I opened the browser developer tools to inspect the HTML and network activity. Within 5 minutes, I noticed something interesting:<\/p>\n\n\n\n Each watermarked image had a special CSS class applied to it. By simply removing or modifying that class in the frontend, the watermark disappeared\u2014and the image became fullscreen width. This meant I could screenshot the photo in high quality, but<\/em> I wanted to go further. If the frontend could render the image in high quality, it meant the full-resolution file was already being loaded in the background.<\/p>\n\n\n\n I didn\u2019t even need to fire up tools like Burp Suite or OWASP ZAP. Just by watching the network tab in my browser’s dev tools while loading the portfolio, I found that each image was being loaded as a blob file\u2014uncompressed and in full resolution.<\/p>\n\n\n\n I downloaded several of them and checked the metadata. They were original quality. And yes, I compared them to legally downloaded versions\u2014no visible difference.<\/p>\n\n\n\n Good question.<\/p>\n\n\n\n I didn\u2019t brute-force any credentials, inject SQL, or exploit a server vulnerability. The files were already delivered to me, unprotected. The only thing \u201chidden\u201d was the watermark overlay in the frontend, and the lack of a proper download mechanism didn\u2019t stop the original images from being accessible. So in that sense, yes, this is a form of unauthorized access\u2014not through malicious action, but through poor design<\/strong>. To top it off, I also found hardcoded JavaScript functions that kept track of how many downloads a user had left\u2014on the frontend. That means this could easily be manipulated too.<\/p>\n\n\n\n After discovering this issue, I responsibly disclosed the vulnerability to the company and waited 30 days before writing this post. This isn’t meant to shame the developers\u2014it\u2019s a lesson on why frontend-only protection is never enough when dealing with paid digital content. Always assume the user can see, modify, or capture whatever is rendered in their browser.<\/p>\n\n\n\n In this post, I\u2019ll walk you through how I discovered a way to access original, high-resolution photos from a photoshoot\u2014photos you’re normally required to pay extra for. While this isn’t your typical \u201chack\u201d with terminal commands and fancy exploits, it does highlight a critical flaw in how some web apps handle access control. \u26a0\ufe0f Disclaimer: […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[7],"tags":[],"class_list":["post-46","post","type-post","status-publish","format-standard","hentry","category-realworld"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/46","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46"}],"version-history":[{"count":12,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions"}],"predecessor-version":[{"id":72,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions\/72"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-08-153442-1024x487.png\")
Sniffing<\/h2>\n\n\n\n
..\/..\/<\/code> in the URL path\u2014and to my surprise, I could access a page listing other user portfolios, were you can enter a token. Yep. That easy. While I chose not to explore or open any of them (not my scope, not my interest), the fact that this was even possible is a major red flag<\/em> in terms of access control and product design.<\/p>\n\n\n\n![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-08-153640.png\")
![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-08-153748-1.png\")
![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-08-153855-1024x444.png\")
![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-13-152820.png\")
Is This Hacking?<\/h2>\n\n\n\n
The aftermath<\/h2>\n\n\n\n