About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Flickr Account Takeover- 743

Lauritz HoltmannPosted 4 Years Ago
  • Flickr is a site for storing photos, videos and other media. The authentication flow is integrated with AWS Cognito with the OpenID connect flow, which is quite similar to the standard OAuth2 flow. Cognito has an interesting quirk though: the token passed back to a user can be used in the AWS CLI.
  • By default, the token has some permissions for the Cognito AWS service. To start with, the author simply ran get-user directly at AWS. To their surprise, this returned information, including internal statistics, about the user. Besides, reading, the attributes can be written to as well.
  • Since these attributes control the flow of authentication and are assumed to ONLY be written by the backend of the application, this bypasses many of the verification steps. At this point, assumptions about the system have been broken, wh
  • OpenID connect has a unique identifer for each user. While looking at the user attributes, the author noticed that this was the email instead of an unchangable ID (called a sub), according to the specification. If another changable ID is used for the sub, then the assuming of the role from a third party may cause permission problems.
  • During the login flow, Flickr normalizes the email address to be all lowercase letters on the backend. However, the user attributes being set do not do the same normalization. As a result, a user can set an email with uppercase letters in their email but then assume the account of somebody with a legitemate signed up email. Account takeover!
  • The author adds a few hints at the end for developers. First, be careful with the sub claim for authenticating users. Secondy, ensure that the Cognito attributes are looked down properly once the token is returned. Third, verify the email on the login flow for Cognito.
  • From the security researcher side, the more parties that are involved with authentication, the harder it is! Taking the time to understand the authentication flow will lead to DEEP bugs that are extremely impactful. This author has many other Open ID Connect bugs on their blog as well.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed