Flickr: Invitations disclosure (resend feature)

Hey, HN, CISO of Yahoo here, typing on a phone at a kid&#x27;s birthday, so excuse the formatting.<p>We run a very progressive bug bounty program that allows bugs like this to be posted publicly. Every once in a while we might miss something out of the thousands of invalid reports we receive every month, and we made a mistake in the triage of this bug. The bug is fixed and we won&#x27;t make the same mistake again. We definitely consider info disclosure to be a class of issue that needs to be addressed and to infer otherwise from one mistake is incorrect.<p>There are a handful of companies experimenting with this kind of open bounty model, and if we want it to survive (I certainly do) then we are going to all have to be willing to iterate to fix the problem, and move on.

I love how publicly posting bugs shifts the balance of power. &quot;schofield&quot; probably though it was just a conversation between Yahoo and the submitter. Now it&#x27;s a conversation between Yahoo and Hacker News.<p>Welp, the verdict is schofield is being dense. Of course user relationship pairs are potentially sensitive. Therefore enabling attackers to discover them by enumerating your tiny key space is an issue.<p>Either schofield needs to wisen up or Yahoo needs to put someone better in charge of their security issues.

The response to this bug is atrocious and shameful. The developer that responded to this did the same as putting on a blindfold and declaring that because they could no longer see the bug, it must not exist.<p>Right from the get-go, schofield showed incompetence when they declared they couldn&#x27;t reproduce the bug, even though it was explained to them plainly and thoroughly!<p>How do these inept developers get hired?

A simple fix seems to be to use longer random id for the invitation.<p>As d4d1a179c0f3 mentions, this kind of information could be useful for setting up more targeted phishing attacks. &quot;Hi John, remember the Flickr invite for holiday photos I sent you two weeks ago? I moved my albums to new site, please go to blackhat.org&#x2F;malwaredl..&quot;

This bug was fixed just seconds ago. The power of HN :)<p>You can still load the invite&#x2F;resend page, but you won&#x27;t get any user info from it.

So I clicked on one of the example invite links listed in the bug report. I was then prompted to log in to my Yahoo account. Hmm, OK... so I logged in, at which point I was taken to a page with a form asking me to join Flickr. I did NOT fill in or submit the form because I don&#x27;t want a Flickr account, though it was presented with defaults based on my Yahoo ID anyway. I closed that window and tried clicking on an invite link again. Much to my surprise, the link then worked and I received an email saying &quot;Welcome to Flickr&quot;. What the hell?<p>[edit: on the plus side, Flickr make it very easy to delete your account entirely. The only obvious side effect is that the screen name you had is now unavailable for any further users]

The collision rate seems pretty high and to someone with a bit of resources (say 500 ips) to go through the ids would take 3~ days at 1 request per second.<p>The party would have a list of of flickr users &#x2F; email combinations.<p>The best way to fix this if they want to have the urls work for some backward compatible reason is probably severe rate limiting after x requests if they do not want to expire these requests -- right? Otherwise, something the size of UUID will make the search space too large.

Isn&#x27;t this basically how weev got sent to federal prison?

Can we not call this a &quot;bug?&quot; It&#x27;s clearly a design weakness and &quot;schofield&quot; said it was working as intended, ergo not a bug, but just a poor choice of mechanism. Pretty humorous that &quot;schofield&quot; thought it was fine the way it is. Guess that has been cleared up by the internet. It&#x27;s pretty trivial to generate a random, non-guessable, unique code to use as a lookup key for the invitation, and I guess that&#x27;s what they&#x27;ve done.

Knowing an individual&#x27;s network of names and email contacts in a highly specific domain could be quite attractive for a phisher. This seems quite different from viewing the contact list on, say, Twitter, where an individual explicitly makes their contacts known to the world (and via synonym only).<p>The response surprises me.

I saw a similar issue with a company that sold tickets to events several years ago. They sent me an email with a link to my e-ticket. The URL had a sequential id, and there was no auth&#x2F;verification that I was the one who purchased it.<p>So, I took a look at the person who ordered before me, and was able to view their name&#x2F;address, and could have printed their tickets to the event!

Actually the Yahoo! employee (schofield?) in the above link is right and you cannot blame him for this - it is because Yahoo! really think first name + last name + email are not private information AFAIK, not particularly to Flickr, there are multiple ways to retrieve these information...

Awe, I was in the middle of writing a scraper for this and it seems they have now &quot;fixed&quot; it.

Well thats messed up... At least now I know how spammers get my email :D

Yahoo has fully embraced working with security researchers. For a company their size (they&#x27;re no. 1 in web traffic!) with that many different services, they&#x27;re doing an amazing job. No company that size has ever moved this fast. Yes, they&#x27;re catching up but they do it fast!

Why the hell do companies think it&#x27;s trivial to just give away data about huge swaths of its user base? Is it some kind of ego thing, like, they aren&#x27;t willing to admit it&#x27;s a security issue, so just pretend like this is a feature and not a bug?

it&#x27;s really easy to capture contacts this way. As Mathias said, they have to limit the view of the saved form to the one who sent it in the first place... and add an expiration for deleting such data.<p>So what&#x27;s missing ? an ID for knowing the first sender, a timestamp, a checking process and a garbage collector to delete the expired ones periodically ? Ok, we don&#x27;t add a column so easily in the big DB table here, but they can add a sister table with both IDs, the timestamp and a &quot;IsActive&quot; boolean... and start filling the new table with no reference ID, so only the timestamp works for the existed ones. the system will repair itself at the end of the expiration date.

Looks like someone just changed the title of this HN submission. For the record, it originally said: “Full name and email for every Flickr invite ever sent can be viewed by anyone”, which was accurate at the time of posting.

To fix,this, they should<p>- make the link protected by login<p>- accept only post requests<p>- generate more complicated, hard to guess tokens

Schofield, you&#x27;re <i>fired</i>!<p>Maybe the incentives are wrong. Less bugs, less work for the dev.<p>Maybe the people processing bug submissions should be paid more per bug submitted and should not be on the same team as the developers.<p>But there&#x27;s ocean of incompetence out there, and clever processes can only get you so far when you&#x27;re dealing with incompetence.

Shame on you, Yahoo!

I have no idea why anybody would do business with a company as awful as Yahoo in 2014.

Anyone able to view this site without Javascript?

The propaganda completely unbacked license response by Yahoo to the Openstack&#x2F;MongoDB fiasco and now this are making me want to delete my account on the site

&lt;paranoid&gt;This is why the bitcoin thefts concern me. Now you have a bunch of bad guys with battle-tested black-hat skills and plenty of millions at their disposal.<p>So they can easily afford a giant cluster to throw up phantomjs instances to scape this data in an easily throttleable way. Not that they would be particularly interested in this case, but similar ones for sure.<p>I think we will see this WAY more in the future. If your email&#x2F;name retrieval is not an intractable problem, you might as well put up a spreadsheet with the info.&lt;&#x2F;paranoid&gt;