Michael Reizelman, an independent researcher discovered and privately disclosed a data security vulnerability on Flickr, Yahoo’s image-hosting platform. He was compensated for his efforts with a $7K bounty.
Yahoo patched the vulnerability on the 10th of April, 8 days after it was discovered.
Reizelman notified Yahoo through HackerOne, their bounty program. According to him, he found an end-around to Flickr’s photo protections, allowing him to force the service to send him an authentication token for a user that was already logged in.
Further explaining how the exploit used to work, Reizelman said that by taking advantage of it, an attacker was able to get complete access to the victim’s account, including being able to upload new content to the website, modify, or delete the already-existing one.
The exploit was possible because of how Flickr used to handle user token credentials through a parameter called ‘.done’, which has the function of determining where the tokens are sent. However, a skilled attacker can manipulate this to send the token back to the attacker’s server.
Since Flickr applies a content security policy to its photo pages, the attack does not work there. However, their forum pages did not have the same kind of security in place, and were vulnerable to this type of attack.
In practice, this meant that if a victim clicked on an attacker’s malicious URL from there, the attacker was able to steal the authentication token and become logged in as the victim.