tl;dr There are two key issues with Flickr’s use of AWS Cognito for their authentication, first, is that only the sub attribute is guaranteed to be unique and should be used to identify users, second is that the access_token provided can be used to modify user attributes. These issues can be chained to modify the email attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user’s Flickr account.