Friday 23 August 2013

Critical Pinterest Exploit Compromised Privacy of over 70 Million Users

I'm writing about a critical vulnerability that I discovered in Pinterest. The flaw allowed me to view the email address of any user on Pinterest.

To reproduce the flaw, you first visit the link below:


As you can see, the information belongs to the owner of the 
access token. However, by changing the /me/ part of the link to someone 
else's username, you will be able to see that user's email address.

For example:

The link above will show the email address that belongs to the user 
"pinterest". This flaw works with any user on Pinterest. It works with 
either a username or a user id. And it works with any access token.

Video Proof of Concept:

(Best Viewed in HD)

A solution to this problem, is to check the owner of the access token 
against the user whose information is being requested.

With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat. A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.

The Pinterest Security Team has confirmed that the exploit has been patched. My experience with Pinterest has been outstanding and they even added my name to their Pinterest Heroes List:
http://about.pinterest.com/terms/responsible-disclosure/

I would also like to say that I had discovered the same type of security flaw in StumbleUpon. I was able to view the full name, email address, age, gender, and location of any user on StumbleUpon. Unfortunately, they never gave me permission to disclose the exploit, even after they patched it. So I'm not going to write about the StumbleUpon flaw in particular.

But I'm glad that Pinterest is much more open to the discussion of security issues. Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.

~Dan Melamed

Thursday 8 August 2013

Facebook Fanpage Invite Exploit & CSRF

I'm finally able to write about another vulnerability now that its been patched. This is probably considered to be a medium-severity bug

I discovered a feature on Facebook that allows you to invite your friends to like a Facebook Fanpage. I've discovered 2 vulnerabilities in this feature:

1. I found a way to invite any Facebook user to like a Fanpage even if they are not my friend
2. A Cross Site Request Forgery flaw

The scenario is that a spammer could setup a bot to collect every single Facebook ID and spam them all with unwanted invites to like their fanpage. The CSRF allowed invites to be sent on behalf of another user who visits a malicious website.

To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to:
https://x.facebook.com/send_page_invite/?pageid=583584051694359

You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.

The CSRF flaw was that the request was using the GET method without any anti-csrf tokens:
http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359

Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.

After the patch, the link now requires a POST method which includes the fb_dtsg token. And you can no longer send invites to people who are not on your friends list. Depending on the target user's notification settings, the invite would either appear in their notifications or under the "Like Pages" tab and it usually sends out an email informing the user that they were invited to like the fanpage.

Video Proof of Concept:

(Best viewed in HD)

Update (August 20th): I'm receiving $5,000 for both of these bugs

About Me

I'm a security researcher. You can follow me on twitter @danmelamed

Contact

Media Inquiries:
press.danm@gmail.com

Questions or Comments
general.danm@gmail.com