Flickr, the massive online photo sharing site, lets you email photos to your account. You get your own, unique address to email content directly into your Flickr account from your cameraphone or your email program.
But before Yahoo remediated the situation, a high schooler who was poking it to see what it does found that the app was cooking up those account-specific email addresses using a stubby little dictionary that was a pushover for brute-force attacks.
An attacker could have exploited it by easily uploading pictures and videos, stuffing Flickr accounts with their own content, be it spammy, porny, trolly or anything else you can think of.
The finding comes from Jazzy, a high school senior with an interest in information security. He said in a blog post on Thursday that he reported the bug as soon as he verified it. Yahoo (owner of Flickr) quickly fixed it, and Jazzy got a $4000 bounty for his efforts.
Jazzy had been poking at Flickr for only about 30 minutes when he stumbled on the feature that lets you email photos to your account by sending an email to a specific address.
Hmm, Jazzy mused, what if an attacker could figure out the emails used with each account? You don’t even need a password to upload photos and videos to victims’ accounts.
He couldn’t figure out a way to get the system to leak email addresses, but he did find a button for changing the email address and getting a new one. Click it, and bam, he instantly got a new email address. Do it again, and again, and again, and Jazzy started to see a pattern.
It looked like this:
[Random dictionary word][Random number 0-100][Random Dictionary word]@photos.flickr.com
Jazzy noticed that the length of the dictionary word was always less than 6 characters. That’s when thoughts of brute-forcing the address came to mind. He didn’t expect it to work, he assumed that Flickr would use a big dictionary – one that made guessing a real email address very unlikely. Still, he gave it a go: he whipped up a Python script that changed his email address over and over and waited.
He set it up to run overnight and by morning Flickr had returned about 20,000 email addresses. He spun up a quick script to sort through the addresses and found only 935 unique words were used across all of them.
This actually Blew my mind. Out of 23,000 email address, only 935 unique words were used. This was that “WHAAAATTT!!!” moment.
By his calculations, if Jazzy generated email addresses himself from the permutations of the dictionary words he enumerated, one out of two of the emails would be a valid Flickr email: he had better than a 50% chance of generating a valid email.
An attacker could exploit the situation quite efficiently, Jazzy said:
We could generate all the 87.5 million emails, and then just write a script which would mass mail each one of those emails. Flickr doesn’t verify what address the email came from, so we can send emails from any random address and they would still get uploaded.
It won’t even take more than 3 hours to send 87.5 million emails using a multithreaded script and some power. And we can even send a single email to multiple addresses by CC/BCC, which would further reduce the amounts of emails to send.
Now by exploiting this, an attacker can easily upload pictures and videos [to] any Flickr account.
Jazzy reported the bug as soon as he had verified it. Yahoo, to its credit, marked it as P1 – a critical bug that needs an immediate fix. And that’s what Jazzy’s bug got: a fast fix.
So until the next P1 pops up, we have Jazzy to thank for our Flickr accounts not getting overloaded with somebody else’s garbage. Thanks, Jazzy!