[zero-error]

Regarding your second suggestion, how would allowing only POST requests stop this from being exploited?

POST requests aren't any more secure than GETs[0] in the context of this exploit, so surely it would make no difference if the attacker was forced to send one type instead of another?

It would also mean that the intended recipients of the Flickr invites would be unable to accept them because you can't POST via links in emails.

[0] https://stackoverflow.com/questions/198462/is-either-get-or-...

[jessaustin]

Maybe this is a repetition of that old "POST-only prevents CSRF" myth?

[mantrax4]

Allowing only POST requests can help for one simple reason - it's harder for people to share the link without knowing what they're giving away.

Of course, using POST is not the only solution here (requiring the invitation to be by the signed-in user is way better), and it can represent a UX problem (refreshing causes the dreaded "form resubmit" warning).

But it's not a no-op. It does have effect in security in practice, even if it doesn't in theory.