Pinterest patched critical security flaw that compromised users' privacy

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.networkworld.com/community/node/83677

Security researcher Dan Melamed found a flaw that could have
compromised the privacy of over 70 million photo-loving Pinterest

If you like photos, then you most likely love Pinterest. A French
study by Semiocast in July found that the highly addictive
photo-pinning social media site had 70 million Pinterest users, of
which 70% are in America.  If a person with malicious intent were able
to harvest all the email accounts tied to Pinterest, it would have
been a highly unpleasant user experience. Thankfully, it was a good
guy who found and reported a flaw that could have compromised the
privacy of over 70 million photo-loving Pinterest people.

Security researcher Dan Melamed discovered a critical Pinterest
vulnerability that "could have spelled disaster in the hands of a
black hat." That's because Melamed found a flaw that could be
exploited to reveal the email address of any Pinterest user. It could
have been heaven for spammers and scammers as Melamed pointed out, "A
hacker could have setup a bot to retrieve all of the email addresses
from a list of users for spam or malicious purposes."

In his exploit proof of concept video, Melamed shows a Pinterest API
link that contains a user's access token. He demonstrated that by
swapping the /me/ portion with another Pinterest username, it exposed
that user's email address. In fact, the flaw worked with any Pinterest
username or user ID.

The security team at Pinterest acted quickly to patch the hole and to
protect its users' privacy. It then added Melamed to the Heroes of
Pinterest list and gave him permission to disclose the exploit.

Apparently, the security team at StumbleUpon is not so friendly to
security researchers. Melamed discovered a similar security flaw in
StumbleUpon, which allowed him to "view the full name, email address,
age, gender, and location of any user on StumbleUpon." Although the
site patched the hole, it refused to give him permission to disclose
the exploit.

He added, "Combining both the Pinterest and StumbleUpon flaw would
have allowed a hacker to collect over 100 million email addresses."

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.