The Hacker News

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

Pinterest Exploit exposes user information of 70 Million accounts
8/26/2013 7:17:00 AM

Security researcher Dan Melamed has found a serious Pinterest Exploit that exposed user's information of over 70 Million accounts.

The security researcher Dan Melamed has found a Critical Pinterest Exploit that compromised the privacy of over 70 Million Users, the flaw allows hackers to view the email address of any user on Pinterest.

Pinterest is a very popular social media, over 70 million users including high profile figures and brands that ordinary use it, such a flaw could have a serious impact on their privacy. Dan has found the way to access to the information belonging to the owner of the Access token, as the researcher has shown it is possible to display them visiting the following URL.

https://api.pinterest.com/v3/users/me/?access_token=

MTQzMTYwMjozNTcxOTE5NTE2MDQyNjcxNzc6MnwxMzc3MDY4ODMyOjAtLTE2

ZWJjNDg4NzYxYTFmZWIwZmU0ODcxYzc3ZWUyN2E2YTdhOWNlN2I=

Substituting the "/me/" part of the link with the username of another Pinterest user it is possible to view its email address.

For example the following link shows the email address for user "pinterest" ... try your username , it works!

https://api.pinterest.com/v3/users/pinterest/?access_token=MTQzMTYwMjozNTcx

OTE5NTE2MDQyNjcxNzc6MnwxMzc3MDY4

ODMyOjAtLTE2ZWJjNDg4NzYxYTFmZWIwZmU0ODcxYzc3ZWUyN2E2YTdhOWNlN2I=

Dan Melamed provided also a Video Proof of Concept for the Pinterest Exploit he has found

A black hat could use the Pinterest Exploit to retrieve all of the email addresses from a list of users for malicious purposes, lets' think for example to a spear phishing attack.

Dan also provided a simple solution to fix the Pinterest Exploit he has discovered, it is sufficient to to check the owner of the access token against the user whose information is being requested, in this way it is possible to prevent any abuse.

Dan Revealed that Pinterest Security Team is very efficient and careful with privacy issues, it has already confirmed that the Pinterest Exploit has been patched. Let's consider that the same Pinterest gave Dan permission to disclose the Pinterest Exploit differently from other company with similar security problems, they also included Dan's name in the Pinterest Heroes List.

Dan Melamed discovered the same type of security flaw in StumbleUpon, the researcher was able to view the full name, email address, age, gender, and location of its users, but the company never gave him permission to disclose the exploit, even after they patched it.

As highlighted by Dan flaws like Pinterest Exploit and StumbleUpon vulnerability would have allowed a hacker to collect over 100 million email addresses, security for social media is a serious issue.

Latest Hacking News Updates

Author details

Pierluigi Paganini is Company Director, Researcher, Security Evangelist, Security Analyst and Freelance Writer. Security expert with over 20 years experience in the field. The passion for writing and a strong belief that security is founded on sharing and awareness led me to found the security blog 'Security Affairs' He is also Author of the book "The Deep Dark Web". Follow him @ Facebook | Google | Email | Twitter

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions