Flickr’ Account Takeover Vulnerability Patched, Researcher Gets $7k Bounty

A security researcher named “Michael Reizelman” privately disclosed a serious vulnerability in Flickr and earned a bounty of $7,000 in the process. A few days back, Michael spotted a critical flaw in the multimillion-image and video hosting website-Flickr through Yahoo’s HackerOne bug bounty program.

Flickr uses token authentication system to keep the accounts safe, but according to Michael, he was able to log into any Flickr account by forcing the site to send him the authentication code for a user already logged in his Yahoo account.

A parameter “.done” can be tricked to send the authentication code of Flickr to the hacker Michael explained. He said that because of Yahoo handling the Flickr authentication system, if someone is already logged into his Yahoo account, he can access Flickr without re-authentication and the hacker can take advantage of this.

Michael wrote in a blog post that “The first thing I have noticed is that the second .done parameter can be manipulated. This parameter controls where the login tokens are sent. It appears that Yahoo’s servers only verify that it starts with https://www.flickr.com/signin/yahoo/, but we can still append ../ so if we append ../../test to the .done original value the .ys and .data tokens will be sent to https://www.flickr.com/test endpoint.”

The vulnerability explained:

Yahoo has placed some serious security measures to ensure the safety of Flickr’ users called “Content security policy (CSP),” however Michael noticed that these measures weren’t in place on the forum pages of the site. He managed to embed a malicious imaged in the Flickr’s forum “flickr.com/help/forum/en-us/” and using this technique; hackers can get their hands on the authentication codes.

“The photos page had some Content Security Policy applied. CSP is an in-depth protection method against different kinds of client-side attacks. The CSP tells the browser in my case that it doesn’t allow me to embed external images from my server (and only from white-listed servers) on the photos page. The forums didn’t have any CSP applied so I could embed the image successfully,” Michael explained.

The flaw Patched!

Lucky for us, Michael reported the vulnerability to Yahoo officials and the vulnerability is already patched according to the latest reports. The authorities have added CSP measures to ensure that hackers cannot take advantage of this reported vulnerability.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Total
0
Shares
Related Posts