Flickr account hijack flaw earns researcher $7k

The bug bounty was issued for a bug in Flickr allowing for complete account takeovers.
Written by Charlie Osborne, Contributing Writer

Yahoo has awarded a researcher $7,000 for disclosing a Flickr security flaw which enabled attackers to hijack user accounts without limit.

The issue, patched on April 10, permitted attackers to intercept and grab access tokens by circumventing Flickr protections.

According to security researcher Michael Reizelman who privately disclosed the bug to Yahoo-owned photo and video-sharing website Flickr before making the details public, the problem was caused by the way Flickr handled access tokens.

When a user wants to login to Flickr.com, they click a sign-in button which redirects them to a Yahoo account login page. After being prompted to enter their credentials and completing the form to login, the user is directed first to a Yahoo endpoint where the credentials are verified. If valid, they are then redirected back to a Flickr URL.

However, if the user is already logged into Yahoo and clicks the initial sign-in Flickr link, then only one click is needed for verification. With this in mind, Reizelman investigated and found that the .done parameter, which controls where login tokens are sent, can be manipulated.

While Flickr already has some endpoint protections in place to prevent tokens from being leaked to external servers, tweaking an URL and adding a backslash bypasses these protections through the Flickr forum.

The researcher then discovered a way to leak user account tokens to his own server by posting crafted images which forced the Flickr service to relinquish the tokens on forum pages which did not have Content Security Policy protections in place.

See also: IBM admits it sent malware-infected USB sticks to customers (TechRepublic)

Should a user click on a malicious link posted within the forum, the redirection code would then send the authentication token to an attacker's server and allow the threat actor to browse the site using the victim's account.

"An attacker had a complete access to the victim's account," Reizelman told ThreatPost. "He actually was logged in to the site with the victim's account, so he could do any action on the victim's behalf: uploading content, deleting it, or any other thing he wants."

Once disclosed through Yahoo's bug bounty program hosted on HackerOne's platform on April 2, the issue was investigated within 24 hours. It took the Flickr team a further week to resolve the issue and prepare for public disclosure. The researcher was then awarded his bounty.

Bug bounties are becoming a popular way to entice skilled security researchers to ferret out security flaws in products and services before attackers do. Last week, the US Air Force invited hackers to do their worst and find security vulnerabilities in the military's websites.

10 things you didn't know about the Dark Web

NSA halts domestic digital surveillance program over privacy issues:

Editorial standards