Seems to me that, even if their word length was greater, you could’ve sent emails without attachments and parsed their non delivery reports to create a list of valid addresses as well. Probably noone would notice.
There were no non delivery reports, they probably had some kind of wildcard email system. And now they increased the size of their dictionary and the emails are in the form @photos.flickr.com now
Just want to make sure I understand: when you said “Now by exploiting this, an attacker can easily upload pictures and videos from any Flickr account,” did you actually mean an attacker can upload *to* any Flickr account? As in, pre-mitigation, an attacker could upload any photos or videos they want *to* Flickr-generated email addresses?
Hi,
How much bounty did you receive?
Found issue with the same impact received ~1200$
But I think it should cost a little more.
Thanks
LikeLike
I received a bit more, 4k
LikeLike
Awesome breach
LikeLike
Awesome find. 🙂
Seems to me that, even if their word length was greater, you could’ve sent emails without attachments and parsed their non delivery reports to create a list of valid addresses as well. Probably noone would notice.
Uh… how exactly did they fix this?
LikeLike
There were no non delivery reports, they probably had some kind of wildcard email system. And now they increased the size of their dictionary and the emails are in the form @photos.flickr.com now
LikeLike
Put me out of my misery, how much was the bounty? I found this a year ago but thought the 80~ million permutations would exclude it.
LikeLike
80 million permutations, from which 51 would be valid, and i got 4k
LikeLike
Niceeeeeee
LikeLike
Can you share the script to generate permutations ?
LikeLike
It’s just a bunch of python loops
LikeLike
It’s difficult to find well-informed people for this subject, however, you sound like you know what you’re talking about!
Thanks
LikeLike
Just want to make sure I understand: when you said “Now by exploiting this, an attacker can easily upload pictures and videos from any Flickr account,” did you actually mean an attacker can upload *to* any Flickr account? As in, pre-mitigation, an attacker could upload any photos or videos they want *to* Flickr-generated email addresses?
Nice find, thanks!
LikeLike
Very creative bug searching, well done!
LikeLike
Thanks!!
LikeLike
This is nice report the bug and it should be addressed promptly
LikeLike
My xxx video webest….
LikeLike
I’m the xx videos fulll moves
LikeLike