[I'm not sure how/who to contact regarding sensitive security holes, so this message is being put through the web-help system as well as going to dathan]

I'm not sure if you guys at Flickr are aware of this yet, but the Authentication page at http://flickr.com/services/auth/ has a bug and a security hole.

The bug, which you probably *are* aware of, is that the user-uploaded Application Logo isn't displayed on the auth page, even when it's a valid 300x90 GIF, as recommended.

The security hole is that the Application Description (and, presumably, Title, but I haven't checked that) has no escaping or filtering or tag-stripping of any kind done on it, which means that any random markup an API key owner cares to put in the Description (or, presumably, Title) is parsed and/or displayed by the user's browser.

The security hole occurs when the Description is something like this:

<script type="text/javascript">setTimeout("var e = document.getElementsByTagName('input'); /* e[e.length - 1].click(); */ alert('Congratulations, this script has auto-authorized for your /convenience/! Or, would have if it were malicious.');", 10);</script>

That collects all the <input> elements from the Auth page, then triggers the onclick method of the last one, which happens to be the "OK, AUTHORIZE" submit button. It can be done fast enough that the user has no way of seeing the page for more than a few milliseconds, after which (for web applications, at least) the browser is redirected back to the callback url, with ?frob=blah appended.

True, users can revoke authorization at any time, but this could still do quite a lot of damage from a malicious app that now has the power to silently give itself "delete" privs without the user's consent, and the Authentication List link is sorta buried at the bottom of the user's account page...

When investigating a fix, please keep in mind that simple search-and-removal of <script> tags is insufficient, as (AFAIK) tags can be written with HTML escape codes -- <scRipt for example. This also applies to javascript: urls -- all too easy for a description to include 'If you wish to cancel this authorization, please <a href="javascript:authorize();">Click Here</a>'. I can say that LiveJournal / Danga has a pretty secure system for user comments in this particular context.

-- Ben Karel

Oh, and P.S. http://www.flickr.com/services/auth/revoke.gne?token=SOME_VALID_TOKEN -- "i'll" should be "I'll", but really, the whole phrasing seems like it'd be meaningless to most users. I'd just remove the checkbox entirely

P.P.S. I <3 flickr ;)