Pinterest is a very popular social media, over 70 million users including high profile figures and brands that ordinary use it, such a flaw could have a serious impact on their privacy. Dan has found the way to access to the information belonging to the owner of the Access token, as the researcher has shown it is possible to display them visiting the following URL.
Substituting the “/me/” part of the link with the username of another Pinterest user it is possible to view its email address.
For example the following link shows the email address for user “pinterest” … try your username , it works!
Dan Melamed provided also a Video Proof of Concept for the Pinterest Exploit he has found
A black hat could use the Pinterest Exploit to retrieve all of the email addresses from a list of users for malicious purposes, lets’ think for example to a
spear phishing attack.
Dan also provided a simple solution to fix the Pinterest Expoit he has discovered, it is sufficient to to check the owner of the access token against the user whose information is being requested, in this way it is possible to prevent any abuse.
Dan Revealed that Pinterest Security Team is very efficient and careful with
privacy issues, it has already confirmed that the Pinterest Exploit has been patched. Let’s consider that the same Pinterest gave Dan permission to disclose the Pinterest Exploit differently from other company with similar security problems, they also included Dan’s name in the
Pinterest Heroes List.
Dan Melamed discovered the same type of security flaw in StumbleUpon, the researcher was able to view the full name, email address, age, gender, and location of its users, but the company never gave him permission to disclose the exploit, even after they patched it.
As highlighted by Dan flaws like Pinterest Exploit and StumbleUpon vulnerability would have allowed a hacker to collect over 100 million email addresses, security for
social media is a serious issue.