Ethical hacker rewarded $7,000 by Yahoo for disclosing security flaw in Flickr – The Yahoo-owned photo and video sharing software had a flaw that enabled hackers to hijack user accounts
An ethical hacker has been awarded $7,000 (approximately Rs 4.5 lakh) by Yahoo for disclosing a security flaw in the software company’s photo sharing site Flickr t hat enabled attackers to hijack user accounts without limit.
The issue, which was patched on April 10, permitted hackers to intercept and grab access tokens by circumventing Flickr protections, as reported by ZDNet.
According to security researcher Michael Reizelman who privately disclosed the bug to Yahoo before making the details public, the problem was caused by the way Flickr handled access tokens.
The problem arose when users, while logging into Flicker.com, were redirected to a Yahoo account login page. After being prompted to enter their credentials and completing the form to login, the user is directed first to a Yahoo endpoint where the credentials are verified. If valid, they are then redirected back to a Flickr URL.
However, if the user is already logged into Yahoo and clicks the initial sign-in Flickr link, then only one click is needed for verification. With this in mind, Reizelman investigated and found that the .done parameter, which controls where login tokens are sent, can be manipulated.
“While Flickr already has some endpoint protections in place to prevent tokens from being leaked to external servers, tweaking an URL and adding a backslash bypasses these protections through the Flickr forum,” the report said.
Reizelman then discovered a way to leak user account tokens to his own server by posting crafted images which forced the Flickr service to relinquish the tokens on forum pages which did not have Content Security Policy protections in place.
“An attacker had a complete access to the victim’s account,” Reizelman told ThreatPost. “He actually was logged in to the site with the victim’s account, so he could do any action on the victim’s behalf: uploading content, deleting it, or any other thing he wants.”
Once disclosed through Yahoo’s bug bounty program hosted on HackerOne’s platform on 2 April, the issue was investigated within 24 hours. It took the Flickr team a further week to resolve the issue and prepare for public disclosure. The researcher was then awarded his bounty.