

Flickr's API Signature Forgery Vulnerability - thaidn
http://vnhacker.blogspot.com/2009/09/flickrs-api-signature-forgery.html

======
nopal
Does anyone know what Flickr did to address this vulnerability?

They didn't move to using HMAC.

Are they just filtering 0x80 and 0x00?

------
DrewHintz
Can we please stop using MD5?

~~~
juli
MD5 is not the problem here, SHA1 is also vulnerable to the extension attack.
They should use HMAC.

