The mobile version of the flicker site accept input from the user controlled data and includes it in the HTML output without proper encoding. This is similar to the bug posted at: Abusing CORS for an XSS on Flickr which is actaully really similar to a bug I found on facebook mobile a few years ago: Facebook XSS via CORS

POC:

  1. First uploaded an image with the following meta data as a title:
  2. Get the API (on the mobile domain) url for this video: http://api.flickr.com/services/rest/?method=flickr.photos.getInfo&api_key=059e5c79d1580f120b20af104166e336&photo_id=830553837&format=json&nojsoncallback=1
  3. Normally this would not be an issue for 2 reasons.
    • This is not directly an XSS because the Content Type is set to text/javascript
    • It is on a different domain that exploitable site. However the API URL can be changed to www (or none) subdomain or to the mobile domain “m.flickr.com”
  4. The http://m.flickr.com/#/ site validates that the rest of the URL is a relative path but because the API can be change to the mobile domain we can send relative path to the unescaped HTML that we added as our video title.

Final POC (one URL):

http://m.flickr.com/#/services/rest/?method=flickr.photos.getInfo&api_key=059e5c79d1580f120b20af104166e336&photo_id=830553837&format=json&nojsoncallback=1

Timeline:

  • 12/18/2013 Submitted (auto reply e-mail)
  • 01/21/2013 After 30+ days of no reply Tweet to @YahooSecurity
  • 03/11/2014 Resolved 90 days later Payment from HackerOne

Overall a poor experinace with Yahoo on this issue. The only comunication I recieved other than an automated reply was 3 months later saying it was resolved and only after I reached out via twitter. 90 Days to resolve an XSS that could lead to account take over / private data seems a bit long to me.