Critical Pinterest Exploit threatens the privacy of millions of users

Security researcher Dan Melamed has found a serious Pinterest Exploit that exposed user’s information of over 70 Million accounts.

The security researcher Dan Melamed has found a Critical Pinterest Exploit that compromised the privacy of over 70 Million Users, the flaw allows hackers to view the email address of any user on Pinterest.

Pinterest is a very popular social media, over 70 million users including high profile figures and brands that ordinary use it, such a flaw could have a serious impact on their privacy. Dan has found the way to access to the information belonging to the owner of the Access token, as the researcher has shown it is possible to display them visiting the following URL.

https://api.pinterest.com/v3/users/me/?access_token=

MTQzMTYwMjozNTcxOTE5NTE2MDQyNjcxNzc6MnwxMzc3MDY4ODMyOjAtLTE2

ZWJj NDg4NzYxYTFmZWIwZmU0ODcxYzc3ZWUyN2E2YTdhOWNlN2I=

Substituting the “/me/” part of the link with the username of another Pinterest user it is possible to view its email address.

For example the following link shows the email address for user “pinterest” … try your username , it works!

https://api.pinterest.com/v3/users/pinterest/?access_token=MTQzMTYwMjozNTcx

OTE5NTE2MDQyNjcxNzc6MnwxMzc3MDY4

ODMyOjAtLTE2ZWJjNDg4NzYxYTFmZWIwZmU0ODcxYzc3ZWUyN2E2YTdhOWNlN2I=

Dan Melamed provided also a Video Proof of Concept for the Pinterest Exploit he has found

A black hat could use the Pinterest Exploit to retrieve all of the email addresses from a list of users for malicious purposes, lets’ think for example to a spear phishing attack.

Dan also provided a simple solution to fix the Pinterest Expoit he has discovered, it is sufficient to to check the owner of the access token against the user whose information is being requested, in this way it is possible to prevent any abuse.

Dan Revealed that Pinterest Security Team is very efficient and careful with privacy issues, it has already confirmed that the Pinterest Exploit has been patched. Let’s consider that the same Pinterest gave Dan permission to disclose the Pinterest Exploit differently from other company with similar security problems, they also included Dan’s name in the Pinterest Heroes List.

Dan Melamed discovered the same type of security flaw in StumbleUpon, the researcher was able to view the full name, email address, age, gender, and location of its users, but the company never gave him permission to disclose the exploit, even after they patched it.

As highlighted by Dan flaws like Pinterest Exploit and StumbleUpon vulnerability would have allowed a hacker to collect over 100 million email addresses, security for social media is a serious issue.

Pierluigi Paganini

(Security Affairs – Hacking, Pinterest Exploit)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.