Overwriting Banner Images on Etsy

Reading time ~1 minute

When you create a shop on Etsy, you can upload an image to be used as a banner.

The upload form in the administration section stops you changing the shop to one you don’t control, as expected.

There is, however, an AJAX end-point which can also be used to upload these images. This doesn’t check you’re the owner on upload.

We can easily upload any image we want onto any shop we want. This could be used to damage a business’s reputation, or like what happened on the Silk Road, upload a banner which prompts any prospective customers to send any orders and payments to an email address we control.

Fix

Etsy fixed this in a simple way - they now check you’re the owner on upload.

Obtaining Login Tokens for an Outlook, Office or Azure Account

This is pretty similar to Wes's awesome OAuth CSRF in Live, except it's in the main Microsoft authentication system rather than the OAuth...… Continue reading