Information Disclosure Flaw in Flickr Fixed After Two Months

Flickr vulnerability fixed

Yahoo has fixed a vulnerability in the photo sharing service Flickr that could have been leveraged to access user’s names and emails.

The security hole could have been exploited to see the invitations sent by Flickr users to other internauts by changing the value of the “resend” parameter in the URLs of the invitations. Names and email addresses were exposed.

“Attacker can iterate through every ‘resend’ id and collect all data,” the expert who disclosed the flaw noted.

The information disclosure issue was reported via HackerOne two months ago. However, at first, Yahoo representatives failed to reproduce the bug. Then, they claimed the flaw wasn’t a security issue.

“There is no information that invitation data (e-mail, name, relation, message) are public (because they are – they are visible to anyone). User can expect that this is private and can write private message. Also attacker can gather every e-mail (and matching names) and use it for spam/phishing. More accurate spam/phishing – with users names,” the expert who reported the bug wrote.

The status of the bug was set to “Won’t fix” until three days ago when the details of the vulnerability were publicly disclosed. Shortly after, Alex Stamos, Yahoo’s new chief information security officer, reopened the bug report on HackerOne.

The flaw was fixed shortly after. Now, when users try to access the invitation URL, they’re taken to the Yahoo login page.

“This bug has been fixed. We definitely consider this class of info disclosure to be an issue worthy of addressing and we’re sorry about the initial mistake. We’ll get back to you with bounty information shortly. Thank you for your patience and diligence,” Stamos noted.

Many members of the infosec community applauded Yahoo for naming Stamos as the company’s CISO. It appears that the company has made a wise decision.

Yahoo is currently working on trying to regain users’ trust. It has recently announced that all traffic moving between its datacenters is fully encrypted.

“Hundreds of Yahoos have been working around the clock over the last several months to provide a more secure experience for our users and we want to do even more moving forward. Our goal is to encrypt our entire platform for all users at all time, by default,” Stamos said at the time.

Earlier today, we learned that Yahoo fixed a total of 8 SQL Injection vulnerabilities found by an expert in the company’s Hong Kong subdomains.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s