Flickr - HackerOne Reports
View on HackerOne15
Total Reports
2
Critical
2
High
6
Medium
4
Low
Stored open redirect in about page
Reported by:
xprto
|
Disclosed:
Medium
Weakness: Open Redirect
Exceed photo dimensions, Flickr.com
Reported by:
0xcyborg
|
Disclosed:
Low
Arbitrary file read via ffmpeg HLS parser at https://www.flickr.com/photos/upload
Reported by:
asad0x01_
|
Disclosed:
Critical
Weakness: Code Injection
CSRF in Account Deletion feature (https://www.flickr.com/account/delete)
Reported by:
asad0x01_
|
Disclosed:
High
Weakness: Cross-Site Request Forgery (CSRF)
Open redirect GET-Based on https://www.flickr.com/browser/upgrade/?continue=
Reported by:
c4rrilat0rr
|
Disclosed:
Low
Weakness: Open Redirect
Bounty: $150.00
critical server misconfiguration lead to access to any user sensitive data which include user email and password
Reported by:
mr_robert
|
Disclosed:
Medium
Weakness: Business Logic Errors
Bounty: $500.00
IDOR may allow access to non-public photos
Reported by:
0xcyborg
|
Disclosed:
Medium
Weakness: Insecure Direct Object Reference (IDOR)
Incorrect Deep-link validation leading to unresponsive application and device
Reported by:
fr4via
|
Disclosed:
Medium
Weakness: Improper Input Validation
Stored XSS in photos_user_map.gne
Reported by:
keer0k
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Stored
Bounty: $3263.00
Improper access control in place for "member only" groups via root.YUI_config.flickr.api.site_key
Reported by:
sector035
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Critical broken cookie signing on dagobah.flickr.com
Reported by:
ian
|
Disclosed:
Medium
Weakness: Business Logic Errors
Bounty: $479.00
Information Disclosure: .dockerignore file is publicly accessible
Reported by:
himu_xjjj
|
Disclosed:
Flickr Account Takeover using AWS Cognito API
Reported by:
lauritz
|
Disclosed:
Critical
Weakness: Improper Authentication - Generic