Christian Mayer's Weblog

Flickr is still unsafe

Flickr Logo

After the catastrophic Heartbleed bug in OpenSSL has been discovered to the public there are many webservers still vulnerable.

Even services which already has been fixed. One of these services is Yahoo’s Flickr. Maybe you heard about it because it’s one of the largest photo sharing platforms on the web. But: don’t use it.

Flickr is still vulnerable. Not on the server infrastructure but on the client base. If someone steals your cookie_session Cookie he’s able to log into your Flickr account — any time. Even if you changed your password after the Flickr server has been pachted the Heartbleed bug. Even if you re-sign in.

You can try it yourself:

  1. Sign in to Flickr.
  2. Copy the value of the Cookie named cookie_session.
  3. Sign out of Flickr.
  4. Create a Cookie named cookie_session with the value of your old Cookie for domain .flickr.net.
  5. Refresh your browser, and voila, you’r logged in again.

So I’m looking for a new photo sharing platform to move my photos away from Flickr.

Posted on .
Categories: Security
Tags: Flickr, Yahoo, Heartbleed, SSL, TLS, OpenSSL

Categories | RSS Feed | Usage | Imprint
Copyright © 2006 by