- Convince your users to click on a HTML page they’ve constructed
- Insert arbitrary HTML in a target website that your users visit
According to Abdullah, the flaw resides in the “magic_cookie” parameter, which Flickr used to protect its website users from XSRF vulnerability.
In order to exploit Flickr XSRF vulnerability, an attacker can simply setup a webpage on his server with custom HTML form and custom parameter values, as shown. By keeping “magic_cookie” parameter value empty and changing Photo ID to the new image ID, the exploit will be able to bypass protection mechanism.
When the victim clicks a button on the web page, it generates a manipulated HTTP request to the server, which force the Flickr to replace victim’s profile image with new image.
“The last thing I did it was delete the value of magic cookie, in the first try it failed but in the second it works!,” Abdullah told The Hacker News. “The all value (title, description, tags) got change and I got redirected to my photos.”
He has also provided a video demonstration as a Proof of Concept:
The teen reported the vulnerability to Yahoo! and it was fixed in less than 12 hours by the Yahoo! security team. He got the reply from Yahoo! after more than a month and is still waiting for his bounty.
Source : The Hacker News