Flickr XSRF to change photo
details
Hi
,today I want to share a vulnerability I found in Flickr from 2 month
ago
Flickr
website is one of most famous photos share in 2014
so I said why not try to find bug here and
report to Yahoo?
I
started get the first see's on the website and know that the website written in
PHP, have more than 87 million users ,
…etc.
I
really love to attack the website for the something that it is built for , in
Flickr case it is photo so let's see what is not safe here !
I
tried many things in photo like XSS,XSRF,permission bypass,…etc .
In
the final I focused in XSRF, I see that Flickr used parameter
"magic_cookie" to protect the site from XSRF bug.
You
can see this parameter is included in any request so the idea was to find
something to bypass this protect, after that I try the most critical
requests(delete,add,edit …edit !!!)
After
you upload photo in basic version of Flickr it will redirect you to page that
you can add info on the photo like tags, description, and title the first
request was :
Host:
www.flickr.com
User-Agent:
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-US,en;q=0.5
Accept-Encoding:
gzip, deflate
Cookie:
Long one !!!
Connection:
keep-alive
Content-Type:
application/x-www-form-urlencoded
Content-Length:
208
edit_done=1&upload_ids=14401638983&just_photo_ids=&set_id=&magic_cookie=32e285e98bbef3aa6afd8c879891c01b&title_14401638983=XSRF+bug+POC1&description_14401638983=XSRF+bug+POC1&tags_14401638983=XSRF+POC1&tags_14401638983=XSRF+POC2&Submit=SAVE
--------------------------------------------------------------------------------------------
I defined magic_cookie= unique MD5 .
Try
to give many value to it like same length or expire one it was not work out I
deleted the magic cookie parameter it is
not work
The
all above will redirect you with 302 found with not change the content
The
last thing I did it was delete the value of magic cookie, in the first try it
failed but in the second it works !!!!!
The
all value (title, description, tags ) got change and I got redirected to my
photos .
So
I check if there are another protect like refere or another value in cookie or in the HTTP
header
It
is time for the HTML script for PoC
You
need to change the id of the photo with that one in html script (upload_ids&tags_{id
here}&title_{id here}& description_{id here})
The
photo ID can be taken from the photo URL.
So
I told my self it is time to report to Yahoo and I was thing it will be
duplicate as always ^_^ .
I
used Hacker one website to report I got the replay after 2 days I think and the
vulnerability fixed in less than 12 hours
I get the replay from Yahoo after more than month of
the report and the bounty is not set yet
I
DM them on Twitter and they was kind by allow publish the write up .
This
is video for the PoC :
Done !
Abdullah Hussam
No comments:
Post a Comment