If you used Flickr recently, then you are likely familiar with an incredibly large flaw. Which is ultimately a security vulnerability. The flaw made it possible for malicious agents to upload thousands of unwanted pictures to the accounts of many, unsuspecting users. The defect was found in the “Upload by Email” feature, which allows users to upload images straight to the platform by sending emails to a specific email address. Flickr automatically generates and assigns an email address to users in order to make it easier to upload photos. The vulnerability was discovered by a high-school student named Jazzy. Jazzy is also an independent security researcher and has since documented the issue at more length in his blog.
As we mentioned (and as Jazzy points out) Flickr grants each user a unique email address that they can use to upload images to their accounts. All they have to do is send an email to that particular account and the images are then uploaded. The glaring hole with this feature is that anyone who knows the address could abuse this by uploading images without any user consent. It’s literally just an email account. Which seems pretty unsafe to me, but I am not a security expert.
This issue prompted Jazzy to dig a bit deeper to determine whether or not there was a way to extract a long list of Flickr-generated email addresses. He wasn’t able to breach the website in order to grab up any email addresses, but he did notice there was an option to change his automatically generated email and then get a new one. He repeated this procedure a few more times and noticed a pattern. The email returned by Flickr had some well-defined properties. Specifically, the formula looked like this:
<random dictionary word><random number 0-100><random dictionary word>@photos.flickr.com
Which, seems random enough in that you don’t know what the word is going to be. The number would likely be easier to guess, but one could be: bird15cat and the next could be cat62bird. But, he figured something else out. Each dictionary word was always shorter than 6 characters. And with this in mind Jazzy decided to put together a quick Python script, which would repeatedly change his Flickr email address and record each new unique address in a log file.
He ran the script overnight, generating more than 20,000 addresses. He then went on to write another script, designed to sort through the emails and show how often each dictionary word appeared. The result was surprising, to say the least. Out of the 23,692 email addresses amassed, Jazzy discovered that Flickr only used a total of 935 unique words. This meant that the total amount of permutations the email-naming algorithm could generate close to 87.5 million variations. Flickr only has about 50 million users.
All of this demonstrates that every randomly generated email address has a greater than 50% chance of belonging to an actual user. Jazzy estimates that in order to get access to all of Flickr’s 50 million users, it would only take a short script, some computing power and a couple of hours. Jazzy has notified Yahoo of this vulnerability, but either way, it’s not good news for them. Well, it’s good news that he was able to identify this vulnerability, but it’s not good that it existed in the first place.