Privacy flaw on photo sharing website initially dismissed as ‘working as designed’ and not making sensitive data available

This article is more than 6 years old

This article is more than 6 years old

Yahoo has closed a months-old bug that let anyone access the name, email and message sent by Flickr users who invited friends to join the photo sharing service.

But the web company was criticised for acting too slowly after the bug was brought to its attention. Its staff initially suggested that the system was “working as designed” when the flaw was pointed out.

The privacy hole exposed the entire contents of the private invitations. But Yahoo engineers originally dismissed concerns, suggesting that the system was part of the invitation resend function, and insisting that “sensitive data” was not being made available.

“We are not seeing the security implications here. You would have to know (or guess) the invitation id to only see an invitation,” said Schofield, a member of the Yahoo bug team, in a discussion on the HackerOne bug reporting site earlier in 2014.

The flaw allowed anyone to see invitations sent to non-Flickr users using a simple web address ending with a unique invitation identity number. The number could be guessed or iterated to reveal the original invitation, including the personal message, the sender’s name and both the sender and recipient’s email addresses.

Spam and phishing targets?

Malicious parties could abuse the system using automated processes to collect real names, email addresses and personal information which could be sold on to third parties or used for phishing attacks on Flickr users or sending spam.

Yahoo backtracked two months later and closed the privacy hole on Sunday, preventing invitations from being seen online by those not included in the invitation after the flaw was publicly disclosed.

“This bug has been fixed. We definitely consider this class of info disclosure to be an issue worthy of addressing and we're sorry about the initial mistake. We’ll get back to you with bounty information shortly. Thank you for your patience and diligence,” said Alex Stamos, the chief information security officer for Yahoo, ending the Hackerone thread.

Following links to the resend pages now leads to a generic photo invitation page for Flickr users, or a Yahoo login page which doesn't show the contents. The pages also seem to have been removed from caches online.

Protect against surveillance

The error is embarrassing for Yahoo, which positioned Flickr as the privacy-minded photo sharing alternative to Facebook in May last year with a complete site redesign and free storage upgrade, part of the Yahoo chief executive Marissa Mayer’s plan to turn the declining technology company around.

Yahoo has taken recent steps to increase security and privacy after the NSA revelations, including the appointment of Stamos, a well-known security researcher and outspoken critic of the NSA’s mass surveillance programme.

Last week, Stamos announced that Yahoo’s aim was to make sure “all traffic through Yahoo will be encrypted by default”, making user privacy one of Yahoo’s focuses.

“Anything we can do to protect users against widespread, no-targeted surveillance is our duty,” Stamos said.

It is unknown how much personal data was compromised or collected via the invitation vulnerability before it was fixed.

• Yahoo’s shares slide 5% as fourth-quarter revenue declines 18 months after the former Google executive Mayer took the helm.