Wednesday, August 6, 2014

Flickr XSRF to change photo details

Flickr XSRF to change photo details
------------------------------------------------------------------------------------------   
Hi ,today I want to share a vulnerability I found in Flickr from 2 month ago  

Flickr website is one of most famous photos share in 2014

 so I said why not try to find bug here and report to Yahoo?

I started get the first see's on the website and know that the website written in PHP, have more than  87 million users , …etc.

I really love to attack the website for the something that it is built for , in Flickr case it is photo so let's see what is not safe here !

I tried many things in photo like XSS,XSRF,permission  bypass,…etc .

In the final I focused in XSRF, I see that Flickr used parameter "magic_cookie" to protect the site from XSRF bug.

You can see this parameter is included in any request so the idea was to find something to bypass this protect, after that I try the most critical requests(delete,add,edit …edit !!!)

After you upload photo in basic version of Flickr it will redirect you to page that you can add info on the photo like tags, description, and title the first request was :

Host: www.flickr.com

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: Long one !!!

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 208


edit_done=1&upload_ids=14401638983&just_photo_ids=&set_id=&magic_cookie=32e285e98bbef3aa6afd8c879891c01b&title_14401638983=XSRF+bug+POC1&description_14401638983=XSRF+bug+POC1&tags_14401638983=XSRF+POC1&tags_14401638983=XSRF+POC2&Submit=SAVE


--------------------------------------------------------------------------------------------

 I defined magic_cookie= unique MD5 .

Try to give many value to it like same length or expire one it was not work out I deleted the magic cookie parameter  it is not work

The all above will redirect you with 302 found with not change the content

The last thing I did it was delete the value of magic cookie, in the first try it failed but in the second it works !!!!!

The all value (title, description, tags ) got change and I got redirected to my photos .


So I check if there are another protect like refere  or another value in cookie or in the HTTP header

It is time for the HTML script for PoC




You need to change the id of the photo with that one in html script (upload_ids&tags_{id here}&title_{id here}& description_{id here})

The photo ID can be taken from the photo URL.

So I told my self it is time to report to Yahoo and I was thing it will be duplicate as always ^_^ .

I used Hacker one website to report I got the replay after 2 days I think and the vulnerability fixed in less than 12 hours

 I get the replay from Yahoo after more than month of the report and the bounty is not set yet

I DM them on Twitter and they was kind by allow publish the write up .


This is video for the PoC : 

Done !

Abdullah Hussam