Flickr is still unsafe

Published in category Security
on Christian Mayer's Weblog.

After the catastrophic Heartbleed bug in OpenSSL has been discovered to the public there are many webservers still vulnerable.

Flickr Logo

Even services which already has been fixed. One of these services is Yahoo’s Flickr. Maybe you heard about it because it’s one of the largest photo sharing platforms on the web. But: don’t use it.

Flickr is still vulnerable. Not on the server infrastructure but on the client base. If someone steals your cookie_session Cookie he’s able to log into your Flickr account — any time. Even if you changed your password after the Flickr server has been pachted the Heartbleed bug. Even if you re-sign in.

You can try it yourself:

  1. Sign in to Flickr.
  2. Copy the value of the Cookie named cookie_session.
  3. Sign out of Flickr.
  4. Create a Cookie named cookie_session with the value of your old Cookie for domain .flickr.net.
  5. Refresh your browser, and voila, you’r logged in again.

So I’m looking for a new photo sharing platform to move my photos away from Flickr.

Recent Posts

About the Author

Christian is a professional software developer living in Vienna, Austria. He loves coffee and is strongly addicted to music. In his spare time he writes open source software. He is known for developing automatic data processing systems for Debian Linux.