Home

XSS on Flickr

Howdy friends,

Today I’m going to show you how I got Flickr XSS Vulnerability. I’ve been spending time lately playing with Flickr.

First as usual I created flickr group with some random words <"lol">To my bad luck there was filtration.

then i started digging with that and i found a way to execute my javascript

Steps:

1. Create a group with a name <img src=x onerror=prompt(1)>"
2. Add someone to the group
3. when user will click on leave group xss will prompt.

Note: As i told you there was filtration but when a user try to leave that group filtration does not work and xss get executed.

It was reported to yahoo and then after 10 days i got reply from them “Triaged” , then after some more days they rewarded me by 400$ for this finding :vAnd they put my name on their hall of fame page

It was reported to yahoo and then after 10 days i got reply from them “Triaged” , then after some more days they rewarded me by 400$ for this finding :vAnd they put my name on their hall of fame page

Yahoo Hall Of Fame

Time-line:
05. Sept 2014 - Vulnerability reported.
06. Sept 2014 - Need More Info.
06. Sept 2014 - Provided more info.
08. Sept 2014 - Need More Info.
09. Sept 2014 - Provided More Info.
15. Sept 2014 - Bug Triaged.
01. Oct 2014 - Vulnerability fixed :D (That was pretty fast!)