Fresh security fears have been raised over Yahoo’s email service since last month’s update of Flickr.com, the photo-sharing website that’s integrated with the wider Yahoo network. The concerns have to do with the way the services are inextricably linked together – i.e., when you log into one service, you’re automatically logged into the other at the same time, something that many users probably aren’t aware of.

At the time of Flickr’s overhaul, most of the attention fell on its new image-centric design, and the controversial new pricing model that doubled the cost of a premium membership to $49.99 a year (the only way to get rid of those pesky ads), whilst charging a whopping $499.99 per year for those who wanted to increase their storage space.

But while some users were outraged over Flickr’s price hike, another equally important change to the way the site works seems to have slipped under the radar, yet it’s one that could have far more serious implications for its users.

Yahoo has actually tied Flickr accounts to its main services since shortly after acquiring the photo-sharing site in 2005. By doing so, Yahoo believes that more Flickr users will be encouraged to use its other services – Yahoo Mail, Finance, Answers and so on – whilst presumably hoping to entice Yahoo customers to take a look at Flickr as well.

That’s all well and good (for Yahoo anyway) but for its users it might cause a few problems where their security is concerned. Why so? Because of a glaring oversight by Yahoo’s engineers at the time Flickr was revamped, that’s why. With Flickr’s overhaul, Yahoo has now removed the old warning screen that asks users if they wish to log out of its network at the same time as they log out of their Flickr accounts.

Now this might not be a problem for anyone using their own computer – unless they happen to have spiteful mates of course – but for public computers at internet cafes and whatnot, it’s a very serious matter.

Flickr Leaves The Door Wide Open

One of the major problems is that many people won’t even realize – or if they do, they’ll quickly forget – that by logging into Flickr they’re also logging into Yahoo’s network, meaning that their emails will be accessible. Hence, many unwitting users might find themselves in a position where, after finishing whatever it is they’re doing on Flickr, they log out of that site but remain logged into Yahoo. Because the reminder no longer shows up, users are now required to sign out of both services separately – logging out of Flickr doesn’t sign you out of anywhere else.

For people who use public computers at universities, libraries, internet cafes etc., there’s a serious risk that their Yahoo accounts could be accessed by the next person to use that machine – should someone fail to log out of Yahoo, all one has to do is enter mail.yahoo.com and they’ll instantly land on the previous person’s inbox and be able to read all of their private emails, change their password and take over that account. The risk doesn’t end there either, as plenty of people sign up for services like Facebook, PayPal and so on using their Yahoo Mail address – such services could easily be accessed via a simple password change request.

What’s particularly worrying is that this isn’t something that’s just popped up – Yahoo has known about the problem for more than a month already, since this thread was posted onto the Flickr forum by a concerned user on May 22. That thread was later locked, only for a second post citing the same concerns to appear. Flickr staff member Thea Lamkin did post a reply to the second thread about a week ago promising to look into the issue – yet so far nothing has been done to close this alarmingly wide gap in Flickr/Yahoo’s security.

This new Yahoo security concern comes at a time when Yahoo has been roundly criticized over its policy of ‘renewing’ inactive Yahoo Mail accounts. Last month, the company said that it intended to recycle all existing accounts that have lain inactive for the last 12 months, as a way of providing its active users with a more “memorable” email address. I pointed out in an earlier post just how foolish this was – as is the case with old Hotmail IDs that are also ‘recycled’, it poses a massive security risk for anyone who has social media accounts tied to their old, inactive Yahoo account.

What with the glaring security problems facing Yahoo Mail anyway – thousands of users have been hacked since the turn of the year, finding themselves locked out of their accounts which are then used to send masses of spam to their contacts – this new problem raises serious questions over Yahoo’s attitude towards its customer’s security. Quite frankly, it stinks, and one can only conclude that Yahoo doesn’t give a damn about its users. Since my last post regarding the spate of Yahoo Mail hackings, I’ve been contacted by dozens of readers complaining that they’ve been forced to abandon their hijacked Yahoo Mail accounts, while Yahoo’s excuse for a customer service team continually ignores their pleas for assistance.

Once again, I’ve reached out to Yahoo (and Flickr) for a comment on this latest oversight. I don’t expect a reply, but if they do find time to get back to me I’ll be sure to update this post.

[UPDATE]

Wow, just look at what a little public naming and shaming can do – I’m happy to report that within just a few hours of this being posted, Yahoo has now stepped forward to fix the vulnerability.

Statement from Flickr:

Happy to report that we’ve updated the experience for logging out of Flickr. Here’s how it works:
1) When you log in to Flickr, you will also automatically log in to Yahoo!, as has always been the case.
2) Now when you log out of Flickr, you will also be automatically logged out of your wider Yahoo! account, and will have to sign back in to access any other Yahoo! properties, including Mail.
3) After logging out, you will still end up on the Flickr signed-out home page.

Of course, this doesn’t excuse the fact that they took five weeks to come up with a solution for a critical issue that should have been given the highest priority, and only acted when knowledge of this vulnerability became public. God only knows how many people’s accounts were exposed/hijacked in that time. Still, better late than never…