The issue I found was on Flickr(Yahoo Acquisition) where I was able to join any Public Group(Invitation Only) without admins/moderators approval.In Flickr, A user can create a group to share photos with other users.One can set the group privacy to Public, Public(Invitation Only), Private.In Public group, any user can join.But in Public(Invitation Only) group a user must be invited by already joined member or a user's join request must be approved by group admin/moderator.This issue is about how I was able to join any Public(Invitation Only) group without admin/moderator's approval or invitation.So, let's get started.
Steps to reproduce:
First of all, I created a Public Group named "YO Vaya".On the other hand, I created another group named "Test(Invitation Only)" which privacy is set to Public(Invitation Only) with another account.
There is an Invite Member button in Flickr group where a user can Invite his friends/other users to join a group.(User must be a member of the group first).
Type Of Invitation
I navigated to Invite Member section to invite Flickr member from my contact.The link is like below:
https://www.flickr.com/groups_invite.gne?id=4168260@N22
Where 4168260@N22 is my group ID.So I changed the group ID to another public group ID which privacy is set to Invitation Only.In this regard, the invitation-only group name is "Test(Invitation Only)".Tried to invite but didn't work as I'm not part of that group :(
So, I thought about inviting one of my friend who is not a member of Flickr.The link is like below:
https://www.flickr.com/invite/?group=<GROUP ID>
Again changed the Group ID to invitation Only group and entered e-mail of my friend and clicked on send.
Note: I'm not a member of Test(Invitation Only) group.So, basically, I don't have permission to invite a user to join Test(Invitation Only) group.Even after that, I was able to invite via e-mail.
https://www.flickr.com/groups_invite.gne?id=4168260@N22
Where 4168260@N22 is my group ID.So I changed the group ID to another public group ID which privacy is set to Invitation Only.In this regard, the invitation-only group name is "Test(Invitation Only)".Tried to invite but didn't work as I'm not part of that group :(
So, I thought about inviting one of my friend who is not a member of Flickr.The link is like below:
https://www.flickr.com/invite/?group=<GROUP ID>
Again changed the Group ID to invitation Only group and entered e-mail of my friend and clicked on send.
Note: I'm not a member of Test(Invitation Only) group.So, basically, I don't have permission to invite a user to join Test(Invitation Only) group.Even after that, I was able to invite via e-mail.
Guess what? An invitation was sent to my friend's e-mail with the join link :)
So creating a Flickr account from invitation link my friend will be added to the group automatically :)
Video PoC:
Timeline:
Reported:8th July 2017
Triaged:13th July 2017
Fixed:14th July 2017
Bounty Rewarded: $300 on 9th August 2017.
Reported:8th July 2017
Triaged:13th July 2017
Fixed:14th July 2017
Bounty Rewarded: $300 on 9th August 2017.
Thanks for sharing your knowledge
ReplyDelete