Flickr's API Signature Forgery Vulnerability
September 29, 2009
--Affected Web Sites
A lot of web sites provide API service whose architecture is the same
as Flickr's API. They are potentially vulnerable.
We don't have a complete list, but here are some notable web sites:
* DivShare http://www.divshare.com/
* iContact http://www.icontact.com/
* Mindmeister http://www.mindmeister.com/
* Myxer http://www.myxer.com/
* RTM http://www.rememberthemilk.com/ (not exploitable)
* Scribd http://www.scribd.com/
* Vimeo http://www.vimeo.com/
* Voxel http://www.voxel.net/
* Wizehive http://www.wizehive.com/
* Zooomr http://www.zooomr.com/
Please note that we haven't tested these web sites. They are included here
because they describe the same signing process in their API documentation.
Flickr is almost certainly the best online photo management and sharing
application in the world. As of June 2009, it claims to host more than
3.6 billion images. In order to allow independent programmers to expand
its services, Flickr offers a fairly comprehensive web-service API that
allows programmers to create applications that can perform almost any
function a user on the Flickr site can do.
The Flickr's API consists of a set of callable methods, and some API
endpoints. To perform an action using the Flickr's API, you need to select
a calling convention, send a request to its endpoint specifying a method
and some arguments, and will receive a formatted response.
Many methods require the user to be logged in. At present there is only
one way to accomplish this. Users should be authenticated using the Flickr
Authentication API. Any applications wishing to use the Flickr Authentication
API must have already obtained a Flickr's API Key. An 8-byte long 'shared
secret' for the API Key is then issued by Flickr and cannot be changed by
the users. This secret is used in the signing process, which is required
for all API calls using an authentication token.
This advisory describes a vulnerability in the signing process that allows an
attacker to generate valid signatures without knowing the shared secret.
By exploiting this vulnerability, an attacker can send valid arbitrary requests
on behalf of any application using Flickr's API. When combined with other
vulnerabilities and attacks, an attacker can gain access to accounts of
users who have authorized any third party application. Additionally, if an
application uses PHPFlickr >= 1.3.1, an attacker can trick users of that
application to visit arbitrary web sites. This may apply for other Flickr's
API libraries and applications as well.
An initial notification was sent to Yahoo! Flickr on Sep. 5, 2009. A copy
of this advisory was sent to Yahoo! Flickr on Sep. 13, 2009. Yahoo! Flickr
replied on Sep. 14, 2009 to acknowledge the vulnerability. Yahoo! Flickr
sent us an email on Sep. 23, 2009 to say that they were going to deploy a
fix in the same week.
An initial notification was sent to the vendors listed above on Sep. 17,
2009. Another copy of this advisory was sent to them on Sep. 24, 2009.
Here are the responses from some of them:
* Remember The Milk said that they have investigated and confirmed
is not vulnerable.
* Vimeo tried to fix the issue by making sure that the first parameter
after sorting is always api_key and failing if it isn't. This fix doesn't
work because we can make the first parameter be api_key and still append
new data to the request. They are working on a new fix.
* "Voxel developers immediately evaluated the severity of the potential
attack, and determined that hAPI may be vulnerable. Adjustments
to allay the vulnerability were made to hAPI=92s authentication backend,
and deployed immediately" (from their blog)
No other vendor provided details about their plans to deploy fixes.
This vulnerability was found and researched by Thai Duong from
VNSecurity/HVAOnline and Juliano Rizzo from Netifera.
Greeting to all members of VNSecurity, HVAOnline and Netifera.
The authors would like to thank Huong L. Nguyen, rd, Gunther, Bruce Leidl,
and Alex Sotirov for reading and editing the draft of this advisory.
Download the complete advisory from:
Or read it in your browser and leave comments in Thai's blog:
We hope you enjoy reading this advisory as much as we enjoy writing it.