Today I’m going to show you how I got Flickr XSS Vulnerability. I’ve been spending time lately playing with Flickr.
First as usual I created flickr group with some random words
To my bad luck there was filtration.
- Create a group with a name
<img src=x onerror=prompt(1)>"
- Add someone to the group
- when user will click on leave group xss will prompt.
Note: As i told you there was filtration but when a user try to leave that group filtration does not work and xss get executed.
It was reported to yahoo and then after 10 days i got reply from them “Triaged” , then after some more days they rewarded me by 400$ for this finding :v
And they put my name on their hall of fame page
Yahoo Hall Of Fame
Thanks to Yahoo security team.
05. Sept 2014 - Vulnerability reported.
06. Sept 2014 - Need More Info.
06. Sept 2014 - Provided more info.
08. Sept 2014 - Need More Info.
09. Sept 2014 - Provided More Info.
15. Sept 2014 - Bug Triaged.
01. Oct 2014 - Vulnerability fixed :D (That was pretty fast!)