Friday, 23 August 2013

Critical Pinterest Exploit Compromised Privacy of over 70 Million Users

I'm writing about a critical vulnerability that I discovered in Pinterest. The flaw allowed me to view the email address of any user on Pinterest.

To reproduce the flaw, you first visit the link below:


As you can see, the information belongs to the owner of the 
access token. However, by changing the /me/ part of the link to someone 
else's username, you will be able to see that user's email address.

For example:

The link above will show the email address that belongs to the user 
"pinterest". This flaw works with any user on Pinterest. It works with 
either a username or a user id. And it works with any access token.

Video Proof of Concept:

(Best Viewed in HD)

A solution to this problem, is to check the owner of the access token 
against the user whose information is being requested.

With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat. A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.

The Pinterest Security Team has confirmed that the exploit has been patched. My experience with Pinterest has been outstanding and they even added my name to their Pinterest Heroes List:
http://about.pinterest.com/terms/responsible-disclosure/

I would also like to say that I had discovered the same type of security flaw in StumbleUpon. I was able to view the full name, email address, age, gender, and location of any user on StumbleUpon. Unfortunately, they never gave me permission to disclose the exploit, even after they patched it. So I'm not going to write about the StumbleUpon flaw in particular.

But I'm glad that Pinterest is much more open to the discussion of security issues. Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.

~Dan Melamed

3 comments:

  1. Next week I'll be at OWASP AppSec EU in Hamburg, Germany. I'm excited about the event and also to connect with the OWASP Europe crew. security grilles

    ReplyDelete

About Me

My Photo
My name is Dan Melamed, I'm a security researcher, web developer, self-employed internet marketer, and entrepreneur with great ideas to share with the world. I was recently featured on Facebook's Whitehat page: http://facebook.com/whitehat/thanks/ You can follow me on twitter @danmelamed

Contact

Media Inquiries:
press.danm@gmail.com

Questions or Comments
general.danm@gmail.com