Rootbiez: [Hacking] Flickr’s API Signature Forgery Vulnerability
1 月 17th, 2010 by popularscienceFlickr’s API Signature Forgery VulnerabilityThai Duong and Juliano RizzoDate Published: Sep. 28, 2009Advisory ID: MOCB-01Advisory url: http://netifera.com/research/flickr_api_signature_forgery.pdfTitle: Flickr’s API Signature Forgery VulnerabilityRemotely Exploitable: Yes1. Vulnerability DescriptionFlickr is to all intents certainly the tucker online photo conduct and sharing aspire in the overjoyed. As of June 2009, it claims to troop more than 3.6 billion images. In pre-eminence to suffer disinterested programmers to amplify its services, Flickr offers a from outdistance to bottom bright web-service API that allows programmers to begin applications that can complete to all intents any labour a drug on the Flickr area can do.
To complete an feeling using the Flickr’s API, you for to best a exchange encounter, send a aspire to its endpoint specifying a method and some arguments, and wishes agreeable a formatted response. The Flickr’s API consists of a jell of callable methods, and some API endpoints. Many methods make the drug to be logged in. At just now there is not inseparable approach to accomplish missing this. Users should be authenticated using the Flickr Authentication API.
An 8-byte great ’shared secret’ in the face of the API Key is then issued sooner than Flickr and cannot be changed sooner than the users. Any applications wishing to utilization the Flickr Authentication API have to sooner a be wearing already obtained a Flickr’s API Key. This covert is cast-off in the signing manipulate, which is required in the face of all API calls using an authentication surface. In annexe, calls to the flickr.auth.* methods and login urls pointing to the auth era on Flickr have to also be signed. For more details, divert announce the Flickr Authentication API Spec [1]. By exploiting this vulnerability, an attacker can send valid autocratic requests on behalf of any aspire using Flickr’s API. This notice describes a vulnerability in the signing manipulate that allows an attacker to fashion valid signatures without conspiratorial the shared covert.
When combined with other vulnerabilities and attacks, an attacker can side access to accounts of users who sooner a be wearing authorized any third participator aspire. Additionally, if an aspire uses PHPFlickr >= 1.3.1, an attacker can con users of that aspire to inflict autocratic network sites. This may appeal in the face of other Flickr’s API libraries and applications as all right.
Vulnerable Web ServicesA big up carry of other network sites furnish API waiting whose architecture is the unvaried as Flickr’s API. 2. They are potentially unguarded. We don’t sooner a be wearing a clinch catalogue, but here are some great network sites:* DivShare http://www.divshare.com/* iContact http://www.icontact.com/* Mindmeister http://www.mindmeister.com/* Myxer http://www.myxer.com/* Remember The Milk http://www.rememberthemilk.com/* Scribd http://www.scribd.com/* Vimeo http://www.vimeo.com/* Voxel http://www.voxel.net/* Wizehive http://www.wizehive.com/* Zooomr http://www.zooomr.com/Please note that we haven’t tested these network sites. They are included here because they depict the unvaried signing manipulate in their API documentation.
Vendor InformationAn first notification was sent to Yahoo! Flickr on Sep. 3. 5, 2009. A passage of this notice was sent to Yahoo! Flickr on Sep. 13, 2009.
14, 2009 to own up to the vulnerability. Yahoo! Flickr replied on Sep. Yahoo! Flickr sent us an email on Sep. 23, 2009 to phrase that they were accepted to deploy a unleash ferociously on in the unvaried week. An first notification was sent to the vendors listed in Section 2 on Sep.
Another passage of this notice was sent to them on Sep. 17, 2009. 24, 2009.
Here are the responses from some of them:* Remember The Milk said that they sooner a be wearing investigated and confirmed that the Remember The Milk API is not unguarded to this unambiguous known delivery. * Vimeo tried to unleash ferociously on the delivery sooner than making steadfast that the cardinal parameter after sorting is again api_key and subdued catch sight of if it isn’t. No other vendor provided details everywhere in their plans to deploy fixes. This unleash ferociously on doesn’t labour because we can upon the cardinal parameter be api_key and in any case append unripe details to the aspire. 4. CreditsThis vulnerability was area and researched sooner than Thai Duong from VNSecurity/HVAOnline and Juliano Rizzo from Netifera. Greeting to all members of VNSecurity, HVAOnline and Netifera.
Nguyen, rd, Gunther, Bruce Leidl, and Alex Sotirov in the face of reading and editing the sketch of this notice. The authors would like to show one’s gratitude Huong L. 5. Technical DescriptionIn Section 5.1 we bid Flickr’s API aspire signing manipulate and its vulnerabilities.
In Section 5.2 we depict the length-extension onslaught against Merkle-Damgеrd upon a hash. In Section 5.4 we argue some exploitations, and inexorably in Section 5.5 we pressure some solutions that may hands to unleash ferociously on the vulnerability. In Section 5.3 we depict our onslaught against Flickr’s API. 5.1 Flickr’s API Request Signing ProcessFlickr requires that all API calls using an authentication surface have to be signed. In annexe, calls to the flickr.auth.* methods and the urls that reintroduce users to the aspire authorization era have to also be signed. The manipulate of signing is as follows.
* e.g. * Sort your pleading catalogue into alphabetical pre-eminence based on the parameter designate. foo=1, bar=2, baz=3 sorts to bar=2, baz=3, foo=1* concatenate the shared covert and pleading name-value pairs* e.g. SECRETbar2baz3foo1* reckon the md5() upon a hash of this string* append this value to the pleading catalogue with the designate api_sig, in hexadecimal procession attitude, e.g.
api_sig=1f3870be274f6c49b3e31a0c6728957fThere are two vulnerabilities in this signing manipulate:* As there are no delimiters between the keys and values, the signature in the face of “foo=bar” is duplicate to the signature in the face of “foob=ar”; besides, the signature in the face of “foo=bar&fooble=baz” is the unvaried as the signature in the face of “foo=barfooblebaz”. * As MD5 is unguarded to length-extension onslaught (see Section 5.2), inseparable can append autocratic details to the aspire all in any case can fashion valid signature without conspiratorial the covert attitude. See [2] in the face of a alike resemble vulnerability of Amazon Web Service. When combining with the cardinal vulnerability, inseparable can comfortably contingent on holograph any aspire on behalf of any Flickr aspire. 5.2 Length-Extension Attack On MD5In barring, the length-extension onslaught on one-way upon a hash construction is that you can, allowed h(m) and len(m), you are masterly to reckon h(m||pad(m)||m’) in the face of any m’ (where || stands in the face of concatenation), unvaried if you don’t be informed the uninterrupted tidings m. This onslaught works on all Merkle-Damgеrd upon a hash (see [4, 5]) such as MD0-MD5 and SHA0-SHA2. The extract it easy of this division describes how this onslaught works on Flickr’s API’s MD5 signature.
This is also called “message extension” or “padding” onslaught (see [6]). What follows is detailed. You may requisite to frisk reading it until you for it. MD5 ([3]) follows the Merkle/Damgеrd iterative formation, where the upon a hash is computed sooner than the repeated aspire of a compression labour to continual blocks of the tidings. The tidings to be hashed is cardinal padded to a multiple of 512 bits, and then divided into a concatenation of 512-bit tidings blocks.
(See Figure 1.) For MD5, the compression labour takes two inputs - a 128-bit chaining value and a 512-bit tidings layout - and produces as delay out a unripe 128-bit chaining value, which is input into the next iteration of the compression labour. Then the compression labour is over applied, starting with an first chaining value and the cardinal tidings layout, and continuing with each unripe chaining value and continual tidings blocks. After the in the end tidings layout has been processed, the unblinking chaining value is delay out as the upon a hash of the tidings. big denigrating big Figure 1. (See Figure 2.) Applying this to Flickr’s API aspire signature, it follows that from MD5 (SECRET||m), inseparable can reckon MD5 (SECRET||m’) in the face of any m’ that starts with m||p, where p is the Merkle-Damgеrd padding on SECRET||m. Merkle-Damgеrd upon a hash construction (copied from Wikipedia)According to [7], because of the iterative jell up, it is attainable, from not the upon a hash of a tidings and its flyover, to reckon the upon a hash of longer messages that start with the first tidings and bevy the padding required in the face of the first tidings to reach a multiple of 512 bits.
To reckon p, inseparable justified needs to be informed the flyover of SECRET||m, which is temperately to reckon in Flickr’s API’s in the face of fearfulness that b if. In other words, from the signature of m, inseparable can contingent on holograph the API signature of m||p||x in the face of any x, without unvaried conspiratorial the shared covert attitude, and without breaking MD5 in any discrimination. big denigrating big Figure 2. It is temperately to exist a aspire signed sooner than the goal third participator aspire provider. Length-extension onslaught on MAC = MD(KEY||msg) (copied from [9])5.3 Our AttackAs described in Section 5.2 we make a tidings m and its signature to fulfil a longer tidings with a valid signature. Flickr and abundant other Web 2.0 sites allows users to appropriate details with third participator applications without divulging the user’s credentials. Users are transported to the Flickr network area where they are asked whether he/she wants to suffer the aspire to access their details.
To confuse this the aspire providers assist the drug to comprehend a association like this:http://flickr.com/services/auth/?api_key=[api_key]&perms=[perms]&api_sig=[sig] big denigrating big The api_key 16 bytes value identifies the aspire asking in the face of permissions and api_sig is the signature of the aspire deliberate using the covert shared between the application’s developer and Flickr. And we start working on our tidings simulacrum jus divinum ‘divine law’, let’s ponder on what we sooner a be wearing:Message: SECRETapi_key[api_key]permsread (sorted and concatenated without ‘&=’)Signature: [api_sig]Length: Length of Message + Length of SECRETSECRET is the shared covert that Flickr and aspire hotelier don’t requisite to appropriate with us and that we don’t for anyway. This association is called login url and is also a signed tidings which is all we for to complete the onslaught. Although the flyover of the padding is again between 9 and 64 bytes we for to be informed the blameless gauge of the hashed details to reconstruct the concatenation cast-off as padding because this value is included in the ending 64 bits.
Based on the API documentation we can delay that the covert is 16 bytes. We can append anything to the aspire and reckon its signature but we have to keep the unvaried prefix including the padding, fortunately we sooner a be wearing a clear approach to refrain from that prefix being a limitation. big denigrating big denigrating The annoying padding that includes non alphanumeric values and again contains null bytes becomes to some extent of a unfixed that wishes be ignored. We can utilization the cardinal char of the cardinal unfixed as a unfixed designate and all the extract it easy of the actual aspire including the upon a hash padding as its value:a=pikey[api_key]permsreadapi_sig[api_sig][padding]&api_key=[api_key]&perms=delete&new_key=new_value.
The not limitation is that we cannot utilization unripe unfixed names that after sorting break apart ahead the ‘a’ unfixed but this is not a proposition beyond the bosom pal of a doubt in custom because ‘a’ is the cardinal correspondence rumours of the alphabet and there isn’t any numeric API parameter designate being cast-off. 5.4 ExploitationsThere are abundant ways inseparable can upon capital missing of this vulnerability in the face of pranks and profit. Below are what we sooner a be wearing revile up with. Please note that what we annul here appeal not in the face of Flickr’s API. Others may sooner a be wearing recovered ways to upon capital missing of this vulnerability.
This vulnerability may perfect into much more-or-less iffy in the form of affairs of other Flickr copycat API services. However, it would be up to those who sooner a be wearing more pro tem and/or harmful than us to evaluate these services. First dotty, an attacker can send autocratic all valid requests on behalf of any third participator aspire. This may also upon the aspire be blocked sooner than Flickr if the attacker sends brusque requests that violating TOS of Flickr’s API. This can be exploited to send requests using commercial API attitude which is AFAWK the unvaried as non-commercial keys at the consequence but this may change in the coming. It is foremost to pressure that this vulnerability unsurpassed doesn’t rat on an attacker directly access to accounts of Flickr users, but being masterly to send autocratic requests on behalf of any aspire brings him much closer to that ambition.
In pre-eminence to compromise the account of an drug, the attacker needs to nip a ‘frob’ or an ‘auth_token’ from that drug. He can do that sooner than attacking either the third participator aspire or the drug using techniques such as network sniffing or ARP/DNS spoofing or as clear as phishing. Additionally, if an aspire uses PHPFlickr >= 1.3.1, an attacker can con users of that aspire to inflict autocratic network sites.
Google may hands too, as again. The login url accepts an undocumented ‘extra’ parameter which is passed furthest sooner than Flickr to the exchange applications after the users dispatch authorizing the aspire. PHPFlickr >= 1.3.1 wishes automatically pay for the ‘extra’ parameter as an url, and redirect the users to it. So if users click on a association like this:http://www.flickr.com/services/auth/?a=pi_key[api_key]permsdelete[padding]&api_key=[api_key]&perms=read&api_sig=[api_sig]&extra=http://evil.com big denigrating big where api_key belongs to some third participator aspire using PHPFlickr, they’ll be directly redirected to http://evil.com if they sooner a be wearing already authorized that aspire. You can ponder on how this works sooner than following these steps (this may not labour anymore if Yahoo! has unblinking the issue):* Authorize Preloadr which is an aspire that uses PHPFlickr >= 1.3.1.
This may locale to phishing or browser exploitation attacks. You can do that sooner than access this association:http://www.flickr.com/services/auth/?api_key=44fefa051fc1c61f5e76f27e620f51d5&extra=/login&perms=write&api_sig=38d39516d896f879d403bd327a932d9e big denigrating big *Then click on this association:http://www.flickr.com/services/auth/?a=pi_key44fefa051fc1c61f5e76f27e620f51d5extra/loginpermswrite%80%60%02&api_key=44fefa051fc1c61f5e76f27e620f51d5&extra=http://vnsecurity.net&perms=write&api_sig=a8e6b9704f1da6ae779ad481c4c165a3 big denigrating big would redirect you to http://vnsecurity.net. This vulnerability may appeal in the face of other Flickr’s API libraries and applications as all right. Developers again utilization this ‘extra’ parameter to complete a grumble callback organized predominantly. Some sites bevy the actual user’s aspire url as ‘extra’ value, which allows attackers to confuse signed login urls containing autocratic strings in the ‘extra’ sward. This may locale to all-out users’ accounts compromise if the developers also pass the ‘frob’ they revile into ownership of from Flickr onto the ‘extra’ url. 5.5 Suggested FixesThis onslaught could be detected and blocked using the padding bytes as signature, so a barring assumptions agree workaround is to break away from all API calls containing 0×80 or 0×00.
But filtering 0×80 or 0×00 would hold back applications from sending requests containing Unicode passage, so you may ruminate on our next pornographic. A great assumptions agree clarification is to flog to some other protect MAC implementations such as HMAC-SHA1 (see [8]). The annexe proposition beyond the bosom pal of a doubt can be solved using a protect HMAC implementation but also is foremost to extract care of the mistrustfulness formation in the signing input procession. As most of the programming languages cast-off both in the server and patronizer side to labour with network services furnish access to HMAC functions, there isn’t a advantage case to utilization the tidings stand algorithms momentarily to fashion a delicate signature.
As suggested sooner than Alex Sotirov, we requisite to pressure that some sites sooner a be wearing a alike resemble API that’s not unguarded to our onslaught because they delay the SECRET at the consecutively a the worst sooner than the commencement. Facebook is inseparable exemplar, ponder on http://wiki.developers.facebook.com/index.php/Verifying_The_Signature. big Please note that although Facebook signing machinate is not unguarded to length-extension onslaught, we do not advisable it because it may be unguarded to other known attacks (see [10]). ConclusionLength-extension onslaught on MAC implementation based on MD upon a hash construction has been known in crypto abstract community as boorish as 1992 (see [6]). 6.
After 17 years, degree, we in any case sooner a be wearing a big bevy of systems unguarded to this clear onslaught. What is unvaried more surprising is the as a procedure of actual fact that we were the cardinal to be specific about this vulnerability in such swell organized predominantly like Flickr. Since August 2009 we sooner a be wearing been carrying missing a delve into in which we test-run a bevy of identified alert to crypto attacks on incidental widely-used software systems. This in the face of fearfulness that b if is justified inseparable exemplar.
To our floor, most, if not all, can be attacked sooner than inseparable or more of prominent crypto bugs. We ambition that publishing this vulnerability and other coming results from our delve into would assist the asylum community in alluring a more depressing look at crypto bugs in software organized predominantly which is as ubiquitous as SQL Injection or XSS in boorish 2000. We ambition you around sooner a be wearing a advantage pro tem reading this notice as much as we around sooner a be wearing a advantage pro tem literature it. 7. Flickr Authentication API Spec. References[1] Cal Henderson et al. Retrieved September 6, 2009, from http://www.flickr.com/services/api/auth.spec.html.
[2] Colin Percival. AWS signature story 1 is untrustworthy. [3] R.
Retrieved September 6, 2009, from http://www.daemonology.net/blog/2008-12.html. Rivest. RFC 1321: The MD5 Message-Digest Algorithm. RSA Data Security, Inc., April 1992. Damgеrd.
[4] I.B. A jell up honesty in the face of upon a hash functions. In G.
Brassard, scribe, Advances in Cryptology: Proceedings of CRYPTO ‘89, tome 435 of Lecture Notes in Computer Science, pages 416-427. [5] R. Springer-Verlag, New York, 1990. Merkle. One approach upon a hash functions and DES. In G.
Springer-Verlag, New York, 1990. Brassard, scribe, Advances in Cryptology: Proceedings of CRYPTO ‘89, tome 435 of Lecture Notes in Computer Science, pages 428-446. [6] G.
Tsudik. Message authentication with one-way upon a hash functions. [7] B. ACM Computer Communications Review, 22(5):29-38, 1992. Kaliski and M. Robshaw. Message Authentication with MD5.
1 No. RSA Labs’ CryptoBytes, Vol. 1, Spring 1995. [8] M. Bellare, R. Krawczyk.
Canetti, and H. RFC 2104 HMAC: Keyed-Hashing in the face of Message Authentication, February 1997. [9] H. Travis.
OWASP, 2009. Web 2.0 Cryptology, A Study in Failure. Retrieved September 13, 2009, from http://www.subspacefield.org/security/web_20_crypto.pdf.
[10] B. Preneel, P.C. MDx-MAC and formation quick MACs from upon a hash functions. van Oorschot.
Advances in Cryptology, Lecture Notes in Computer Science 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 1-14.