Pinterest recently fixed an issue in the API of its web app that could have allowed remote attackers to compromise emails and carry out session hijacking and phishing attacks.
Vulnerability Lab researcher Benjamin Kunz Mejri discovered the issue, which is a persistent mail encoding and validation web vulnerability shortly after the start of the year. While developers with Pinterest were actually speedy in fixing the issue – they issued a patch in February, two weeks after Mejri notified them of the bug – the vulnerability wasn’t disclosed until Monday.
The issue was in located in Pinterest’s API, in the `contact_name` value of User Profile scheme. Upon registration, an attacker could compromise user emails or random mails with their own malicious script.
“After the inject of malicious script code the service stores the account in the database management system,” reads part of the disclosure, “The attack vector of the issue is located on the application-side of the online service and the request method to inject is POST.”
Remote attackers could register with Pinterest using random mails without verification and then send malicious ‘Pins’ to users. If successful the exploit could result in:
- Session hijacking
- Persistent phishing attacks
- Persistent redirect to external sources
- Persistent manipulation of affected or connected module context.
Mejri claims that before it was fixed, exploitation of the vulnerability required a low privilege Pinterest account with low user interaction and that the vulnerability could have been exploited by local and remote attackers alike.
The bug is one of 47 identified since Pinterest formalized its bug bounty program with Bugcrowd in May 2014.
The photo sharing app, which allows users to share “pins” and maintain “pinboards,” received some flak when it first started the program and only offered researchers t-shirts and a mention in its bounty hall of fame as prizes. In March the company embraced HTTPS and subsequently upped the ante for its bug bounty program. Now Pinterest pays between $25 to $200 for bugs in its developer site, API, iOS and Android mobile applications although neither Pinterest nor Mejri specified exactly how much his vulnerability was worth.
