TAILIEUCHUNG - Flickr's API Signature Forgery Vulnerability

1. Vulnerability Description Flickr is almost certainly the best online photo management and sharing application in the world. As of June 2009, it claims to host more than billion images. In order to allow independent programmers to expand its services, Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. The Flickr's API consists of a set of callable methods, and some API endpoints. To perform an action using the Flickr's API, you need to select a calling convention, send a request to. | Flickr s API Signature Forgery Vulnerability Thai Duong and Juliano Rizzo Date Published Sep. 28 2009 Advisory ID MOCB-01 Advisory URL http research Title Flickr s API Signature Forgery Vulnerability Remotely Exploitable Yes 1. Vulnerability Description Flickr is almost certainly the best online photo management and sharing application in the world. As of June 2009 it claims to host more than billion images. In order to allow independent programmers to expand its services Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. The Flickr s API consists of a set of callable methods and some API endpoints. To perform an action using the Flickr s API you need to select a calling convention send a request to its endpoint specifying a method and some arguments and will receive a formatted response. Many methods require the user to be logged in. At present there is only one way to accomplish this. Users should be authenticated using the Flickr Authentication API. Any applications wishing to use the Flickr Authentication API must have already obtained a Flickr s API Key. An 8-byte long shared secret for the API Key is then issued by Flickr and cannot be changed by the users. This secret is used in the signing process which is required for all API calls using an authentication token. In addition calls to the . methods and login URLs pointing to the auth page on Flickr must also be signed. For more details please read the Flickr Authentication API Spec 1 . This advisory describes a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret. By exploiting this vulnerability an attacker can send valid arbitrary requests on behalf of any application using Flickr s API. When combined with other vulnerabilities and attacks an attacker can .

• Quản trị Web
• internet skills
• web development tools
• computer tricks
• internet skills
• management web
• Flickrs API libraries
• Using internet assisted learning method
• Developlistening skills
• Business English
• Studentsat national Economics University
• Business English studentsat
• Maps for the Future
• Teaching cartographical skills
• Cartography at elementary school level
• Cartography in textbooks
• Geographic school atlases for children
• Internet mapping education
• BMC Musculoskeletal Disorders
• Knee osteoarthritis
• Knee pain
• Pain coping skills
• Health care delivery
• Randomised control trial
• computer skills
• computer tips
• experience using computers
• tips on installation
• computer network systems
• network management
• Internet Routing Architectures
• A guide to MATLAB
• Beginners and experienced users
• Developing your MATLAB skills
• MATLA bandthe internet
• MATLAB help on the internet
• công nghệ thông tin
• tin học
• internet
• computer network
• microsoft office
• công nghệ thông tin
• tin học
• mạng
• web
• electronic information
• web security
• web domain name
• how to create web pages
• web programming
• web development
• web management
• documentation on Drupal 6
• PR techniques
• using the Internet to business and business in marketing
• business skills
• art sales
• art marketing
• personnel management
• currency trading
• multi level business
• MLM business administration
• business administration industry
• business school
• school enrichment
• ad sales
• book business
• business books today
• LAN
• tips
• network installation
• network operators
• network ADSL
• flash basics
• tips on image processing
• photo editing techniques
• skills
• tips on setting up websites
• website optimization
• website development
• web design
• design guidelines joomla templates
• Income Taxation
• Current Influences
• the Issue
• the Internet
• Planning Skills
• Key Concepts
• Tax Practice