To reproduce the flaw, you first visit the link below:
As you can see, the information belongs to the owner of the
access token. However, by changing the /me/ part of the link to someone
else's username, you will be able to see that user's email address.
For example:
The link above will show the email address that belongs to the user
"pinterest". This flaw works with any user on Pinterest. It works with
either a username or a user id. And it works with any access token.
Video Proof of Concept:
(Best Viewed in HD)
A solution to this problem, is to check the owner of the access token
against the user whose information is being requested.
With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat. A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.
The Pinterest Security Team has confirmed that the exploit has been patched. My experience with Pinterest has been outstanding and they even added my name to their Pinterest Heroes List:
http://about.pinterest.com/terms/responsible-disclosure/
I would also like to say that I had discovered the same type of security flaw in StumbleUpon. I was able to view the full name, email address, age, gender, and location of any user on StumbleUpon. Unfortunately, they never gave me permission to disclose the exploit, even after they patched it. So I'm not going to write about the StumbleUpon flaw in particular.
But I'm glad that Pinterest is much more open to the discussion of security issues. Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.
~Dan Melamed
I would also like to say that I had discovered the same type of security flaw in StumbleUpon. I was able to view the full name, email address, age, gender, and location of any user on StumbleUpon. Unfortunately, they never gave me permission to disclose the exploit, even after they patched it. So I'm not going to write about the StumbleUpon flaw in particular.
But I'm glad that Pinterest is much more open to the discussion of security issues. Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.
~Dan Melamed
nice work
ReplyDeleteawesome, good job!
ReplyDeleteNext week I'll be at OWASP AppSec EU in Hamburg, Germany. I'm excited about the event and also to connect with the OWASP Europe crew. security grilles
ReplyDelete