Well, we both used an ID that was still created by our user. Additional checks may have already been in place to protect against using an ID created by other users. So I wouldn’t be so sure.
I don’t remember the specifics, but the source code was checking access rights (in a wrong way), and then retrieved the uploaded picture with:
upload = Upload.find_by(id: upload_id)
So depending on how secure Upload.find_by was, it might have been possible. But I do not remember for sure, maybe you’re right.