Industry News

Yahoo shows cavalier attitude to info-leaking Flickr vulnerability, but finally plugs privacy hole

I have long believed that for security to succeed inside a company, it really needs to be part of their DNA. You need to live-and-breathe security every day to have a proper chance of protecting your computers and sensitive data (and that of your customers and partners) from hackers and privacy breaches.

And some companies just haven’t got it yet.

Yahoo, for instance, hasn’t had the most spotless record when it comes to plugging security holes and protecting its hundreds of millions of users from vulnerabilities.

For many years it lagged behind other webmail services by not offering secure HTTPS connections to protect users as they accessed their email from public WiFi hotspots, and until it embarrassed itself recently by offering researchers who found a serious security hole in its systems a $12.50 voucher (which could only be spent in the Yahoo merchandise store) it didn’t have a proper bug bounty program.

And while all this was going on, it emerged that behind the scenes intelligence agencies had managed to intercept unencrypted communications between Yahoo’s data servers (in fairness, Google was also a victim of the same problem) scooping up vast amounts of private information about users, and even snooping on confidential (and often naked) Yahoo Messenger webcam conversations.

However, in the last week or two there have been some encouraging signs. For instance, Yahoo has announced that it now encrypts all traffic between its data centers, and turns on HTTPS encryption by default on its home page, providing a higher level of protection for its userbase.

Could it be that Yahoo has finally “got it”?

Well, don’t count your chickens before they’ve hatched. Or to use another avian allusion, one swallow doesn’t make a summer.

As The Guardian reports, a security researcher recently found a privacy hole on Flickr that could lead to email addresses and private messages being exposed – but Yahoo, which owns Flickr, at first were in complete denial about the seriousness of the issue.

A couple of months ago, a user reported a security hole that made it child’s play to read invitation emails sent by Flickr users.

That meant that email addresses (of both the person sending the invitation, and the one receiving it) and any private message accompanying the invitation could be read by unauthorised parties.

As The Guardian reported:

The flaw allowed anyone to see invitations sent to non-Flickr users using a simple web address ending with a unique invitation identity number. The number could be guessed or iterated to reveal the original invitation, including the personal message, the sender’s name and both the sender and recipient’s email addresses.

Malicious parties could abuse the system using automated processes to collect real names, email addresses and personal information which could be sold on to third parties or used for phishing attacks on Flickr users or sending spam.

And yet, a Yahoo representative dismissed the vulnerability report claiming that the system was “working as designed”.

To my mind that was a cavalier response. If the Yahoo rep couldn’t see the seriousness of the bug that was being disclosed then he really shouldn’t be given the responsibility to make those kind of decisions.

It’s no wonder security researchers sometimes get frustrated with dot com gorillas like Yahoo when it comes to security.

Fortunately Yahoo has now seen the light, about this issue at least. It finally backtracked last weekend, saying that it had closed the privacy hole and preventing Flickr invitations from being seen by anyone other than those included in the message.

Alex Stamos, Yahoo’s chief security officer, confirmed the change of mind:

“This bug has been fixed. We definitely consider this class of info disclosure to be an issue worthy of addressing and we’re sorry about the initial mistake. We’ll get back to you with bounty information shortly. Thank you for your patience and diligence.”

Companies like Yahoo need more people like Alex Stamos, who actually has a background finding security holes in systems.

Unfortunately, changes of company culture and attitude to security cannot take place overnight, but when millions of users are trusting an online firm with their personal information and messages it can’t come quickly enough.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.