Sunday, September 27, 2009

Flickr's API Signature Forgery Vulnerability

This advisory describes a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret. By exploiting this vulnerability, an attacker can send valid arbitrary requests on behalf of any application using Flickr's API. When combined with other vulnerabilities and attacks, an attacker can gain access to accounts of users who have authorized any third party application.

Scored.

# Posted via web from opportunity__cost