Flickr, is an online image and video hosting service website. It was suffering from a flaw that made it possible for malicious agents to upload unwanted pics to the accounts of random, unsuspecting users.
The flaw was discovered by Jazzy, a high school senior with an interest in information security.
At first, he found that the app was creating account-specific email addresses using a little dictionary that was a vulnerable to brute-force attacks. An attacker could have exploited the flaw easily, and upload thousands of pictures and videos, stuffing Flickr accounts with their own content.
Jazzy had been poking at Flickr for only about 30 minutes when he discovered the feature which allows people to email photos to others' account by sending an email to a specific address.
So if an attacker could figure out the emails used with each account, the attacker won't even need a password to upload photos and videos to victims' accounts.
He couldn't figure out a way to get the system to leak email addresses, but he found a button that can be used to change email addresses and get a new one. When Jazzy clicked on it, he instantly got a new address. Each time he did it, he received a new one.
Quickly, Jazzy started to see a pattern.
Jazzy saw that the length of the dictionary word was always less than 6 characters. He used a Python script to change his email address, and set the script to run overnight.
The next morning, he saw that Flickr returned him about 20,000 email addresses. He spun up a quick script to sort through the addresses and found only 935 unique words were used across all of them.
So out of 23,000 email address, Flickr only used 935 unique words.
By his calculations, if Jazzy generated email addresses himself from the permutations of the dictionary words he enumerated, one out of two of the emails would be a valid Flickr email: An attacker could exploit the situation quite efficiently, explained Jazzy
It won’t even take more than 3 hours to send 87.5 million emails using a multithreaded script and some power. And we can even send a single email to multiple addresses by CC/BCC, which would further reduce the amounts of emails to send.
Now by exploiting this, an attacker can easily upload pictures and videos [to] any Flickr account."
Jazzy reported the bug as soon as he had verified it. Yahoo! as the owner of Flickr, marked the flaw as P1 - a critical bug that needs an immediate fix. For his efforts, Jazzy was given a $4000 bounty.