14 DAY TRIAL // Security researcher Ibrahim Raafat has managed to gain access to Flickr’s databases after uncovering an SQL Injection vulnerability in Flickr’s Photo Books section. In addition, the expert has also found a remote code execution vulnerability.
Raafat initially found a couple of Blind SQL Injection vulnerabilities in the “Checkout” section of Flickr Photo Books, which the photo sharing website introduced back in November 2013.
He reported his findings via HackerOne, but he didn’t get a reply for eight days. After poking around on the website a bit more, he managed to identify a direct SQL Injection flaw, which he could leverage to gain access to Flickr databases, including the MySQL root password.
Then, the expert went even further and managed to write files and execute code on the server. After his second report, Yahoo, which owns Flickr, addressed the vulnerabilities within 6 hours.
Last week, Yahoo fixed an information disclosure flaw in Flickr that had existed for two months before it was taken seriously by the company.
For additional details on the Flickr SQL Injection and RCE vulnerabilities, check out Ibrahim Raafat’s blog PWN Rules. Also, take a look at the video proof-of-concept published by the expert:
