[Flickr] CSRF in Account Deletion feature ($750 USD)
Original Post:
We discussed this vulnerability during Episode 83 on 20 September 2021
When SmugMug bought Flickr from Yahoo they had to move the authentication system away from Yahoo’s authentication. A side-effect of this was that the account deletion process previously had used the Yahoo authentication code as the CSRF token so in the move the token was removed and not replaced with anything functionally equivalent.
I’d imagine this is because the developer would have seen the Yahoo Auth Token as well the Yahoo Auth Token to associate with Yahoo, and not as serving double purpose to prevent CSRF. Its a good reminder to not try and be clever with reusing pieces of information, because later development can pretty easily make mistakes like this.