Flickr Account Takeover (7550 USD)

Original Post:
Flickr Account Takeover
We discussed this vulnerability as part of our weekly podcast on 11 January 2022

tl;dr There are two key issues with Flickr’s use of AWS Cognito for their authentication, first, is that only the sub attribute is guaranteed to be unique and should be used to identify users, second is that the access_token provided can be used to modify user attributes. These issues can be chained to modify the email attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user’s Flickr account.