Right now if Flickr upload is set, the Flickr API key is just sent to the browser every time UploadWizard is loaded. This key allows full read/write access to the Flickr user who owns it and probably can be used to do nasty things.
It is probably possible to send an OAuth token instead [1], which would be limited to whatever operations are actually needed by UploadWizard.
Alternatively, we could just proxy all requests through the server, which is slower but also has privacy advantages.
(Or we could just decide that we do not care, which seems to be the status quo.)
The key is also available through the public configuration [2], so if this gets fixed, that should be changed too.
[1] http://www.flickr.com/services/api/auth.oauth.html
[2] https://github.com/wikimedia/operations-mediawiki-config/blob/master/wmf-config/CommonSettings.php#L1783
Version: unspecified
Severity: normal