In the past day or so I’ve written a new Python library for Flickr. It came from some frustration using other Python libraries. They’re all great, but none of them work quite how I want. My goal was to have a library that feels like Python and the Flickr API at the same time. I […]
In my last post I set out to describe how easy it is to extract private keys from desktop software. As I was concluding I stumbled on an alternative approach that might be more secure in some circumstances. I didn’t really go into details, so here’s an expansion of the idea. Current API authentication mechanisms […]
Using secret keys to identify applications communicating across the internet has become popular as people have copied the very successful Flickr authentication API. Unfortunately people trust that they can keep these keys secret from attackers, even as they distribute applications that contain the secret keys to other people. I decided to see how hard it […]
[flickr-photo:id=1187679,size=m] Recently Flickr closed a little security hole I found in their API authentication. I was able to convince their servers to hand out a token to me based on a user’s cookies and the API key and secret key of an application the user had used. Then with the JSON form of the Flickr API I had full access to the user’s account.
The there two flaws in Flickr’s security that exposed this problem. The first was that the security is based on the assumption that applications can keep a key secret. This is easy for web applications that make server to server API calls, but for anything that a user downloads and especially open source software it’s impossible to keep the key secret. My experiment used the secret key from Flock which is open source – the secret key can be found in subversion, and the secret key from Flickr’s own MacOS X uploader application which can be easilly extracted from the download from their site. Secondly the Flickr server was giving out new authentication tokens without requiring user approval.
The exploit itself is a little state-machine making a series of Flickr API calls and using one IFRAME. It goes like this:
- Request a frob (via JSON)
- Request authentication (via an IFRAME)
- Request the auth token (via JSON)
- Do evil (via JSON)
In my case the evil consisted of posting a comment on the user’s most recent photo.