Flickr's API Signature Forgery Vulnerability http://netifera.com/research/flickr_api_signature_forgery.pdf September 29, 2009 --Affected Web Sites A lot of web sites provide API service whose architecture is the same as Flickr's API. They are potentially vulnerable. We don't have a complete list, but here are some notable web sites: * DivShare http://www.divshare.com/ * iContact http://www.icontact.com/ * Mindmeister http://www.mindmeister.com/ * Myxer http://www.myxer.com/ * RTM http://www.rememberthemilk.com/ (not exploitable) * Scribd http://www.scribd.com/ * Vimeo http://www.vimeo.com/ * Voxel http://www.voxel.net/ * Wizehive http://www.wizehive.com/ * Zooomr http://www.zooomr.com/ Please note that we haven't tested these web sites. They are included here because they describe the same signing process in their API documentation. --Vulnerability Description Flickr is almost certainly the best online photo management and sharing application in the world. As of June 2009, it claims to host more than 3.6 billion images. In order to allow independent programmers to expand its services, Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. The Flickr's API consists of a set of callable methods, and some API endpoints. To perform an action using the Flickr's API, you need to select a calling convention, send a request to its endpoint specifying a method and some arguments, and will receive a formatted response. Many methods require the user to be logged in. At present there is only one way to accomplish this. Users should be authenticated using the Flickr Authentication API. Any applications wishing to use the Flickr Authentication API must have already obtained a Flickr's API Key. An 8-byte long 'shared secret' for the API Key is then issued by Flickr and cannot be changed by the users. This secret is used in the signing process, which is required for all API calls using an authentication token. This advisory describes a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret. By exploiting this vulnerability, an attacker can send valid arbitrary requests on behalf of any application using Flickr's API. When combined with other vulnerabilities and attacks, an attacker can gain access to accounts of users who have authorized any third party application. Additionally, if an application uses PHPFlickr >= 1.3.1, an attacker can trick users of that application to visit arbitrary web sites. This may apply for other Flickr's API libraries and applications as well. --Vendor Response An initial notification was sent to Yahoo! Flickr on Sep. 5, 2009. A copy of this advisory was sent to Yahoo! Flickr on Sep. 13, 2009. Yahoo! Flickr replied on Sep. 14, 2009 to acknowledge the vulnerability. Yahoo! Flickr sent us an email on Sep. 23, 2009 to say that they were going to deploy a fix in the same week. An initial notification was sent to the vendors listed above on Sep. 17, 2009. Another copy of this advisory was sent to them on Sep. 24, 2009. Here are the responses from some of them: * Remember The Milk said that they have investigated and confirmed their site is not vulnerable. * Vimeo tried to fix the issue by making sure that the first parameter after sorting is always api_key and failing if it isn't. This fix doesn't work because we can make the first parameter be api_key and still append new data to the request. They are working on a new fix. * "Voxel developers immediately evaluated the severity of the potential attack, and determined that hAPI may be vulnerable. Adjustments to allay the vulnerability were made to hAPI’s authentication backend, and deployed immediately" (from their blog) No other vendor provided details about their plans to deploy fixes. --Credits This vulnerability was found and researched by Thai Duong from VNSecurity/HVAOnline and Juliano Rizzo from Netifera. Greeting to all members of VNSecurity, HVAOnline and Netifera. The authors would like to thank Huong L. Nguyen, rd, Gunther, Bruce Leidl, and Alex Sotirov for reading and editing the draft of this advisory. --Technical Details Download the complete advisory from: http://netifera.com/research/ Or read it in your browser and leave comments in Thai's blog: http://vnhacker.blogspot.com/ We hope you enjoy reading this advisory as much as we enjoy writing it.
