How I could have mass uploaded from every Flickr account!

The Post has been moved here

Advertisements

43 thoughts on “How I could have mass uploaded from every Flickr account!

  1. Hi,

    How much bounty did you receive?
    Found issue with the same impact received ~1200$
    But I think it should cost a little more.

    Thanks

    Like

  2. Awesome find. 🙂

    Seems to me that, even if their word length was greater, you could’ve sent emails without attachments and parsed their non delivery reports to create a list of valid addresses as well. Probably noone would notice.

    Uh… how exactly did they fix this?

    Like

    1. There were no non delivery reports, they probably had some kind of wildcard email system. And now they increased the size of their dictionary and the emails are in the form @photos.flickr.com now

      Like

  3. Just want to make sure I understand: when you said “Now by exploiting this, an attacker can easily upload pictures and videos from any Flickr account,” did you actually mean an attacker can upload *to* any Flickr account? As in, pre-mitigation, an attacker could upload any photos or videos they want *to* Flickr-generated email addresses?

    Nice find, thanks!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s