User login

In addition to censoring photos of state oppression, Flickr can't understand a basic XSS report

Update: Mea culpa; after several back and forths, the problem was with my site (which i was not hosting myself). Their corporate policy of to hell with activists still sucks though.

Hello,

Thank you for contacting Flickr Member Support.

I am sorry, but I am not clear about what your problem is.
We'll be happy to look into this matter for you. To do so,
we'll need the following information:

- A detailed description of the exact steps taken that led
to the problem you're experiencing

- The full and exact text of any error messages you
received

- The Web address of the page you are seeing the issue on

- Flickr account Web address

Thank you again for contacting us. If you have any other
questions, please feel free to reply to this email.

Regards,
Jake

An utter form letter with nothing applicable at all. My report did include my account and the page i was seeing it on (one and the same) and of course the problem is not an error message but a JavaScript hijacking of a link.

I had reported a that a google security alert was fake, at a "googlle.in" page, which if clicked through does indeed threaten a redirect to a highly suspicious address, helios-krefeld.de, addfreeprotectionth.cz.cc, and rdr.cz.cc in the browser history.

Lets see if i can be really really clear, and not confuse with the list of domains involved in the hijacking.

Hello Jake,

There is a Cross-site scripting attack on my flickr page, http://www.flickr.com/people/ben-agaric/

With JavaScript enabled, click on the link to People Who Give a Damn ( http://pwgd.org ) -- it will instead take you to a fake Google alert.

Please secure your site immediately.

Thank you.

benjamin

Comments

whats with pwgd.org?

Hi Benjamin
Have your DNS records been hijacked or has your registrar taken over an expired domain? Typing in pwgd.org manually still leads to some BS webpage, and an nslookup reports 205.134.239.167, which while better, doesn't appear to be pwgd.org
I would be interested to find out more about the organization if I can get to the site...

i was wrong

I am sorry for the confusion, but this is a issue with
whomever host that site you are linking to. If this were a
issue with a photo on our site linking to a different
website other than the photopage, this would be a issue on
our end.

You will need to contact the host of this site for more
information.

If you have any other questions, feel free to reply back to
this email.

Regards,

Jake

He was right.

Hi Jake,

Thank you. I was only getting the fake warning from Flickr and not any other that linked to pwgd.org, but as it still occurs with JavaScript off it must be an issue on pwgd.org not Flickr.

Thanks.

ben

(resources on the exploit)
http://google.com/safebrowsing/diagnostic?site=googlle.in/
http://www.efragz.net/forum/viewtopic.php?t=6613

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You can use Markdown syntax to format and style the text. Also see Markdown Extra for tables, footnotes, and more.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <small> <h2> <h3> <h4> <h5> <h6> <sub> <sup> <p> <br> <strike> <table> <tr> <td> <thead> <th> <tbody> <tt> <output>
  • Lines and paragraphs break automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.