Yahoo-owned Flickr, one of the biggest online photo management and sharing website in the world was recently impacted by a web application vulnerability, which could allow an attacker to modify users’ profile image.
Flickr is one of the most popular photo sharing website with more than 87 million users, therefore some top major target for cybercriminals. The site was vulnerable to the most common vulnerability known as Cross-Site Request Forgery (XSRF or CSRF), which is very easy to exploit by attackers.
Cross-Site Request Forgery is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:
Not too difficult, is it?
When a user uploads a photo on Flickr, it will redirect the user to the page where they can add info on the photo like tags, description, and title. The request it make is as shown below:
According to Abdullah, the flaw resides in the "magic_cookie" parameter, which Flickr used to protect its website users from XSRF vulnerability.
In order to exploit Flickr XSRF vulnerability, an attacker can simply setup a webpage on his server with custom HTML form and custom parameter values, as shown. By keeping "magic_cookie" parameter value empty and changing Photo ID to the new image ID, the exploit will be able to bypass protection mechanism.
When the victim clicks a button on the web page, it generates a manipulated HTTP request to the server, which force the Flickr to replace victim's profile image with new image.
> “The last thing I did it was delete the value of magic cookie, in the first try it failed but in the second it works!,” Abdullah told The Hacker News. “The all value (title, description, tags) got change and I got redirected to my photos.”
He has also provided a video demonstration as a Proof of Concept:
The teen reported the vulnerability to Yahoo! and it was fixed in less than 12 hours by the Yahoo! security team. He got the reply from Yahoo! after more than a month and is still waiting for his bounty.