Yahoo has patched an account takeover vulnerability on its Flickr image-hosting service that earned an independent security researcher a $7,000 bounty.
The issue was patched April 10, eight days after Michael Reizelman privately disclosed it through Yahoo’s HackerOne bounty program.
Reizelman said he found an end-around to protections already in place on Flickr photo pages, and was able to force the service to send him an authentication token for a logged in user.
“An attacker had a complete access to the victim’s account,” Reizelman said. “He actually was logged in to the site with the victim’s account, so he could do any action on the victim’s behalf: uploading content, deleting it, or any other thing he wants.”
Reizelman explained in a disclosure published Saturday that Flickr authentication is handled by a Yahoo login domain, which distributes the user’s token once credentials are verified and redirects the user back to Flickr. If the user is already logged in to Yahoo, a single click takes the user to Flickr without the need to re-authenticate.
Reizelman said that a parameter called .done, which determines where tokens are sent, may be manipulated and could be forced to send the token to an attacker’s server.
“Basically if we can manipulate it to an undesired value it can cause some trouble,” Reizelman said.
Reizelman wrote that he discovered that Flickr allows for images to be embedded into comments on different Flickr pages, and that by posting an external image into a comment, he perhaps could get Flickr to leak the token to his server in the referrer field. Yahoo, however, already countered such a prospect by manipulating the src value of an image to an internal Yahoo proxy, preventing Flickr from leaking requests to external servers.
Reizelman said he next added a backslash to the start of the URL (Yahoo blacklists HTTP links and links starting with a slash), and learned that the src value was not manipulated. Still, however, his attack did not work because Yahoo applied Content Security Policy to its photo pages. The same, however, could not be said for the Flickr forums pages.
“The photos page had some Content Security Policy applied. CSP is an in-depth protection method against different kinds of client-side attacks. The CSP actually tells the browser in my case that it doesn’t allow me to embed external images from my server (and only from white-listed servers) on the photos page,” Reizelman said. “The forums didn’t have any CSP applied so I could embed the image successfully.”
If a user clicks on a malicious URL from a forums page, the redirection to the attacker’s server would include the authentication token, allowing the attacker to browse to the new URL and they would do so logged in as the victim.
“Actually that was a standard design decision since wanted to pass query parameters back to Flickr so they thought that just checking if the string starts with flickr.com/signin/yahoo will be enough to ensure that no other page will be accessed,” Reizelman said. “They didn’t think about the path traversal option.”