Overwriting Banner Images on Etsy

Reading time ~1 minute

When you create a shop on Etsy, you can upload an image to be used as a banner.

The upload form in the administration section stops you changing the shop to one you don’t control, as expected.

There is, however, an AJAX end-point which can also be used to upload these images. This doesn’t check you’re the owner on upload.

We can easily upload any image we want onto any shop we want. This could be used to damage a business’s reputation, or like what happened on the Silk Road, upload a banner which prompts any prospective customers to send any orders and payments to an email address we control.


Etsy fixed this in a simple way - they now check you’re the owner on upload.

From Bug Bounty Hunter, to Engineer, and Beyond

A couple weeks ago I had my last day on Facebook's Product Security team. Abittersweet moment, but one which marks a "new chapter" in my ...… Continue reading