XSS on Flickr

Howdy friends,

Today I’m going to show you how I got Flickr XSS Vulnerability. I’ve been spending time lately playing with Flickr.

First as usual I created flickr group with some random words <"lol">
To my bad luck there was filtration.

then i started digging with that and i found a way to execute my javascript.

Steps:

  1. Create a group with a name <img src=x onerror=prompt(1)>"
  2. Add someone to the group
  3. when user will click on leave group xss will prompt.

tumblr_inline_o1hf1h51P71t8my73_250

Note: As i told you there was filtration but when a user try to leave that group filtration does not work and xss get executed.

Flickr.Xss

It was reported to yahoo and then after 10 days i got reply from them “Triaged” , then after some more days they rewarded me by 400$ for this finding :v
And they put my name on their hall of fame page

Yahoo Hall Of Fame

Video Demo:

Thanks to Yahoo security team.

 

shubhamgupta

 

3 thoughts on “XSS on Flickr

Leave a Reply

Your email address will not be published. Required fields are marked *