How i found a vulnerability that leads to access any users’ sensitive data and got $500
Hello everyone!
today i’m going to write about an interesting vulnerability i’ve found in Flickr (A former subsidiary of Yahoo)
For info : “Flickr is an American image hosting and video hosting service, as well as an online community”
Note : “Flickr it was belongs to Yahoo and also it was hosted on many servers including Amazon servers, And after Flickr reboot as an independent and separate organization from Yahoo This servers still has full access to Flickr’s main server databases”
Reconnaissance:
Well let’s start, gathering information about your target is the golden key to finding its weak point, first I collected sub domains with common tools like : subfinder، Assassfinder، sublist3r، amass، findomain
Then I extracted the live sub-domains from them, and took screenshots of them by aquatone tool using the following command:
cat live-subs | aquatone -scan-timeout 3000 -threads 5 -silent -screenshot-timeout 50000 -http-timeout 20000 -out screenshots-folder
Then I checked them one by one, and the strange thing is that most of the subdomains are pages with an error message saying “We’re sorry, Flickr doesn’t allow embedding within frames.” And flickr logo and nothing else, I left that for a while and went to shodan to pull up some interesting stuff, and then I used this magical dork :
ssl.cert.subject.CN:”*.flickr.com”+200
To filter flickr’s servers and then after checking the results I found servers with different IP addresses showing the same error message I had seen before when I was checking the subdomains I had collected
Dig deep and discover :
it aroused my curiosity, then I decided to look at this and said why don’t we first check the paths in this server Which shows an error message, and after a while of checking the available paths by the common Fuzzing tool “FFUF” , I found that when I add the word “start” , all the contents of the server appear, and the address will be like this: https://ip-of-strange-server/start
and you will see a search box and also a Yahoo logo next to Flickr,,, but it appeared for a second and then disappeared quickly and it shows me the same error again
on the other hand ,, The main site of Flickr, which is a gallery of images for illustrators and graphic designers, I created a fake account for the purpose of testing and I posted an art picture titled “golden_arrow_img”, then I tried to search for anything in the search box of the main site and the URL structure would be as follows:
I found that it returns to me the pictures and information of the publisher such as his name, his ID , the title of the image and other non-sensitive data that any user can see, which are:
“username”:”robert.anderson”,
“realname”:”Robert Anderson”,
“ownerNsid”:”29454454@N03",
“title”:”Golden arrow IMG_0469",
“description”:”Land speed record” ,
“license”:0
So I had an idea, why not try searching the same way through the strange server that I discovered, I immediately went to
https://ip-of-strange-server/start
and then i fired the Burpsuite and intercepted the request to clearly see the contents of the response and found that the URL structure of search box will be as follows: https://ip-of-strange-server/search?q=golden_arrow_img
Then I went to this link and sent it to Repeater to play with this server a little, I sent this request again and then the surprise was in the response! I found a lot of information, a loooott of information about the publisher, information that only the site administrators can see.
It was kinda crazy Huhh!
I was also shocked when I found in this information the password, it was hashed of course, but I felt that it makes no sense for the password (It was clarified by the Flickr team that the password is not real and that it was present when Flickr was previously owned by Yahoo and that they store authentication data On isolated servers now), The way to find this vulnerability it was really interesting to me, I immediately reported it and got a $500 reward.
Thanks for reading and I wish you all success
you can follow my Twitter to see my BB tips and my new writeups
the report url : https://hackerone.com/reports/1365738
