54 thoughts on “How I could have mass uploaded from every Flickr account!

  1. Hi,

    How much bounty did you receive?
    Found issue with the same impact received ~1200$
    But I think it should cost a little more.

    Thanks

    Like

    Reply

  3. Awesome find. 🙂

    Seems to me that, even if their word length was greater, you could’ve sent emails without attachments and parsed their non delivery reports to create a list of valid addresses as well. Probably noone would notice.

    Uh… how exactly did they fix this?

    Like

    Reply

    1. There were no non delivery reports, they probably had some kind of wildcard email system. And now they increased the size of their dictionary and the emails are in the form @photos.flickr.com now

      Like

      Reply

  4. Put me out of my misery, how much was the bounty? I found this a year ago but thought the 80~ million permutations would exclude it.

    Like

    Reply
  6. Pingback: Flickr exploit allowed uploading tons of pics to user accounts
  7. Pingback: Flickr exploit allowed uploading tons of unwanted pics to user accounts – storyfleet
  9. Pingback: Error de seguridad en Flickr permitía que se envíen fotos a cuentas de usuarios ajenas
  10. Pingback: Error de seguridad en Flickr permitía que se envíen fotos a cuentas de usuarios ajenas – Celulares y Tablets
  11. Pingback: Error de seguridad en Flickr permitía que se envíen fotos a cuentas de usuarios ajenas | Bienestar Institucional
  12. Pingback: Error de seguridad en Flickr permitía que se envíen fotos a cuentas de usuarios ajenas | Todo Diario
  13. Pingback: Security error on Flickr allowed photos to be sent to user accounts - Business Monkey News
  14. Pingback: Erro de segurança no Flickr permitiu que as fotos fossem enviadas para contas de usuário - Macaco De Negócio Notícia
  15. Pingback: Ошибка безопасности на Flickr позволяет отправлять фотографии в учетные записи пользователей - бизнес из обезьянa Новости
  16. Pingback: Flickr의 보안 오류로 인해 사진이 사용자 계정으로 전송 될 수있었습니다. - 원숭이 의 사업 뉴스

  17. Just want to make sure I understand: when you said “Now by exploiting this, an attacker can easily upload pictures and videos from any Flickr account,” did you actually mean an attacker can upload *to* any Flickr account? As in, pre-mitigation, an attacker could upload any photos or videos they want *to* Flickr-generated email addresses?

    Nice find, thanks!

    Like

    Reply
  18. Pingback: Flickrのセキュリティエラーにより、写真がユーザーアカウントに送信される - モンキー · ビジネス ニュース
  19. Pingback: Falha no Flickr permitia publicar fotos nas contas de outros usuários – Tem di tudo
  20. Pingback: Falha no Flickr permitia publicar fotos nas contas de outros usuários – Tr Tutoriais
  21. Pingback: Unbuensitio Blog | Diseño y programación Web – Error de seguridad en Flickr permitía que se envíen fotos a cuentas de usuarios ajenas
  22. Pingback: How I could have mass uploaded from every Flickr account - ZRaven Consulting
  23. Pingback: Flickr: Schwachstelle ermöglichte Bilder-Uploads auf fremde Accounts – Avada Classic
  25. Pingback: Flickr-Bilder per Email auf fremde Accounts laden | Klaus Ahrens: News, Tipps und Fotos
  26. Pingback: Flickr: Schwachstelle ermöglichte Bilder-Uploads auf fremde Accounts - News
  27. Pingback: How anyone could have stuffed your Flickr account with photos – Naked Security
  28. Pingback: How anybody may have stuffed your Flickr account with pictures | NETWORKFIGHTS.COM
  29. Pingback: How anyone could have stuffed your Flickr account with photos - Account Security Lockdown
  30. Pingback: How anyone could have stuffed your Flickr account with photos – STE WILLIAMS
  31. Pingback: IT Security Weekend Catch Up – October 8, 2017 – BadCyber
  32. Pingback: WHO AM I? And My Experiments with Hacking? – Muhammad Khizer Javed
  34. Pingback: Links II – Chris' Blog
  35. Pingback: Infosec Reading List – October 2017 | Dominik Birk
  36. Pingback: My Guide to Basic Recon? | Bug Bounties + Recon | Amazing Love story.
  37. Pingback: Guide to Basic Reconnaissance? | Bug Bounties – Hussnain Fareed
  40. Pingback: Web Application Security & Bug Bounty (Methodology, Reconnaissance, Vulnerabilities, Reporting) – Welcome Hackers!
  41. Pingback: Web Application Security & Bug Bounty – CodeCraver
  42. Pingback: Guide 001 |Getting Started in Bug Bounty Hunting.. – Muhammad Khizer Javed
  43. Pingback: Getting Started in Bug Bounty Hunting | Complete Guide
  44. Pingback: 7Lab Pharm Online
  45. Pingback: Weekendowa Lektura 2017-10-08- bierzcie i czytajcie | Zaufana Trzecia Strona
  46. Pingback: 7 Lab Pharma - Steroids Discounts and Best Deals
  47. Pingback: Testosterone Cypionat - roids.blog
  48. Pingback: Axio Labs Steroids - Bodybuilding Blog

Leave a comment