Today, I want to share a vulnerability I found in Flickr, 2 months ago, Flickr website is one of the most famous photo sharing services in 2014, so I asked myself, why not try to find a bug there and report it to Yahoo?

I started to get the first look at the website and knew that the website written in PHP, and has more than 87 million users, …etc.

I’ve been fond of attacking websites for the things they were built for. In Flickr’s case, that is photo sharing, so read along to see where the vulnerability is!

I tried many things like XSS, XSRF, Permission bypass, …etc., but in the end, I focused on XSRF, and noticed that Flickr used the parameter “magic_cookie” to protect the site from the XSRF bug. You can see this parameter is included in any request so the idea was to find something to bypass this protection method, even after that I tried the most critical requests (Delete, Add, edit …EDIT!). After uploading a photo in the basic version of Flickr, it will redirect you to a page where you can add information to the uploaded photo like tags, description, and title. the first request was:

POST /somewhere HTTP/1.1
Host: www.flickr.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Long one !!!
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 208

edit_done=1&upload_ids=14401638983&just_photo_ids=&set_id=&magic_cookie=32e285e98bbef3aa6afd8c879891c01b&title_14401638983=XSRF+bug+POC1&description_14401638983=XSRF+bug+POC1&tags_14401638983=XSRF+POC1&tags_14401638983=XSRF+POC2&Submit=SAVE

I defined magic_cookie= unique MD5 .

Then I tried to give many values to it, like the same length, or expire one, but it but it didn’t , so, I deleted the magic cookie parameter. All of the above will redirect you with 302 found with no change in the content. The last thing I did it was deleting the value of magic cookie, in the first attempt, it failed but then it worked out in the second attempt!
The all values -title, description, and tags- got changed and I redirected them to my photos.

After that, I checked if there were another protection, like a referee, or another value in cookie or in the HTTP header, it was the time for the HTML script for PoC .

I needed to change the ID of the photo with that one in HTML script (upload_ids&tags_{id here}&title_{id here}& description_{id here})

The photo ID can be obtained from the photo URL.

So I knew it’s the time to report the bug to Yahoo, I was afraid it’s another duplicate as always, I used “HackerOne” website to report it, they sent me a reply after 2 days, and the vulnerability fixed in less than 12 hours.
 I received a reply from Yahoo after more than month of the report date, and the bounty was not set yet.

I sent them a direct message on Twitter and they were kind to allow me to publish the write up.

This is video for the PoC: 

And that’s how it’s done!

Abdullah Hussam