17 years old boy Mr.Abdullah Hussam from Iraq found that Cross-site request forgery vulnerability on Flicker, they had modifying parameters value of a Flickr HTTP request, with this vulnerability they can able to modify users’ profiles.Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo in 2005. In addition to being a popular website for users to share and embed personal photographs, and effectively an online community.
Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily.
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
Abdullah tried many things in photo like XSS,XSRF,permission bypass,…etc. Finally he focused in XSRF, they see that Flickr used parameter "magic_cookie" to protect the site from XSRF bug.
The parameter is included in any request so the idea was to find something to bypass this protect, after that try the most critical requests
After that uploaded photo in basic version of Flickr it will redirects to page that can add info on the photo like tags, description, and title the first request was :
Host: www.flickr.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Long one !!!
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 208
Many value to it like same length or expire one it was not work out he deleted the magic cookie parameter. it is not work. Then all above will redirect you with 302 found with not change the content.
The last thing he did it was delete the value of magic cookie, in the first try it failed but in the second it works. The all value (title, description, tags ) got change and he got redirected to up his photos.
He had reported the this vulnerability to Flickr, Yahoo security team fastly fixed the vulnerability in less than 12 hours. After 1 mont he got an email from Yahoo and said the report and the bounty is not set yet.
