53 thoughts on “How I could have mass uploaded from every Flickr account!

  1. Hi,

    How much bounty did you receive?
    Found issue with the same impact received ~1200$
    But I think it should cost a little more.



  2. Awesome find. 🙂

    Seems to me that, even if their word length was greater, you could’ve sent emails without attachments and parsed their non delivery reports to create a list of valid addresses as well. Probably noone would notice.

    Uh… how exactly did they fix this?


    1. There were no non delivery reports, they probably had some kind of wildcard email system. And now they increased the size of their dictionary and the emails are in the form @photos.flickr.com now


  3. Put me out of my misery, how much was the bounty? I found this a year ago but thought the 80~ million permutations would exclude it.


  4. Just want to make sure I understand: when you said “Now by exploiting this, an attacker can easily upload pictures and videos from any Flickr account,” did you actually mean an attacker can upload *to* any Flickr account? As in, pre-mitigation, an attacker could upload any photos or videos they want *to* Flickr-generated email addresses?

    Nice find, thanks!


  5. Pingback: 7Lab Pharm Online

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s