Flickr Account Takeover ($7550 USD)
Original Post:
We discussed this vulnerability during Episode 109 on 10 January 2022
tl;dr There are two key issues with Flickr’s use of AWS Cognito for their authentication, first, is that only the sub
attribute is guaranteed to be unique and should be used to identify users, second is that the access_token
provided can be used to modify user attributes. These issues can be chained to modify the email
attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user’s Flickr account.