Did Congressman Anthony Weiner really tweet a photo of his, well, wiener? It's possible, but he also might have been "hacked" via an image service vulnerability that makes it easy for anybody to send a photo to a user's account.

The incident happened over Memorial Day weekend: Weiner's official Twitter account sent a link to a photo on ImageShack's yFrog service of a man's bulging underpants. Weiner immediately denied sending the photo, claiming that his account was hacked. As this is a common defense used by politicians and celebrities against Twitter and Facebook boo-boos, many Weiner-watchers took the hacking claim with a grain of salt.

The truth, though, is that it is possible that the Weiner-wiener incident was pulled off by pranksters who knew how to manipulate yFrog into posting a photo to Weiner's account. yFrog, like many other image services, allows users to send a photo to a specialized e-mail address made for that person's account; when the service receives the message, it gets posted automatically and then tweeted out to the world.

The yFrog e-mail addresses given to users aren't public, but they also aren't hard to crack with some patience and some brute force. As noted by the Daily Dot, the format includes the user's twitter name, a period, and a random word between five and six characters @yfrog.com (for example, mine might be something like ejacqui.bears@yfrog.com). And because yFrog apparently accepts submissions to those secret e-mail addresses from any account, any prankster who has guessed the random dictionary word could send a photo to Weiner's account as if it were from Weiner himself.

Many services that offer users a way to send in submissions to a unique e-mail address require the user to register the specific addresses that he or she will be sending from in order to avoid this kind of mixup—Tripit, for example, won't accept e-mail submissions from you unless you send from one of the e-mail addresses that you have associated with your account. But yFrog apparently does not do this, and neither does the Yahoo-owned Flickr—probably one of the most well-known among online image sharing services. (I confirmed this by sending an e-mail to my Flickr account's secret e-mail address from an unknown account and it went right through, no questions asked.) And since I have my Flickr account automatically tweet photos to my Twitter account, well, let's just say that I hope nobody pulls a Weiner on me anytime soon. Sorry in advance, mom.

The folks over at Cannonfire tested this several times with yFrog and confirmed that this is possible when the trickster figures out the target's yFrog e-mail address. yFrog has since disabled this feature, but the damage has already been done to Weiner's reputation—assuming that it was indeed a prank from a third party. At this point, we may never know the full truth (after all, Weiner claims to be unsure whether the photo is actually of him or not), but the incident highlights the need for more secure measures if politicians are going to make use of social media services.

Update: yFrog posted an update to its blog on Thursday, reminding users about how to keep their e-mail uploads secure and stating that its service has not been compromised. Still, the e-mail upload feature remains disabled: "Even though our email upload feature has not been compromised or broken into, we are taking this opportunity to evaluate the feature and secure it even further."

Listing image by Original photo (modified) by estonia76