A security researcher has discovered a vulnerability in Pinterest, the rapidly growing social network, that enables an attacker who knows a target’s username or user ID to discover that user’s email address. The bug is quite simple to exploit and could give an ambitious attacker a huge target list for phishing attacks.

The researcher who discovered the vulnerability, Dan Melamed, said that the Pinterest security team responded to his report quickly and has patched the bug already. The vulnerability is about as simple as they come. Melamed discovered that by replacing a short string in a specific Pinterest URL with a user’s username or user ID, he could return a page that showed him the target’s email address. The trick worked with any username.

So, a link that looks like the one below will show the attacker the email address for the user Pinterest.

hxxps://api.pinterest.com/v3/users/pinterest/?access_token=MTQzMTYwMjozNTcxOTE5NTE2MDQyNjcxNzc6MnwxMzc3MDY4ODMy

OjAtLTE2ZWJjNDg4NzYxYTFmZWIwZmU0ODcxYzc3ZWUyN2E2YTdhOWNlN2I=

“The link above will show the email address that belongs to the user ‘pinterest’. This flaw works with any user on Pinterest. It works with either a username or a user id. And it works with any access token,” Melamed said in a blog post explaining the vulnerability. “A solution to this problem, is to check the owner of the access token against the user whose information is being requested.”

Melamed said that he discovered a similar flaw in StumbleUpon, which was more severe, in that it enabled him to find the user’s full name, email address, age, gender and location. That flaw has been patched as well.

Pinterest has slowly been drawing more attention from attackers in the last year or two as the site has ben growing in popularity and scope. Last year, the site had to move to lock down some users’ accounts after widespread reports of account compromises. A few months earlier, scammers had targeted Pinterest users in a phishing scam, too.

 

Categories: Vulnerabilities, Web Security