BreachExchange mailing list archives
Pinterest patched critical security flaw that compromised users' privacy
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Mon, 26 Aug 2013 12:38:13 -0400
http://www.networkworld.com/community/node/83677 Security researcher Dan Melamed found a flaw that could have compromised the privacy of over 70 million photo-loving Pinterest If you like photos, then you most likely love Pinterest. A French study by Semiocast in July found that the highly addictive photo-pinning social media site had 70 million Pinterest users, of which 70% are in America. If a person with malicious intent were able to harvest all the email accounts tied to Pinterest, it would have been a highly unpleasant user experience. Thankfully, it was a good guy who found and reported a flaw that could have compromised the privacy of over 70 million photo-loving Pinterest people. Security researcher Dan Melamed discovered a critical Pinterest vulnerability that "could have spelled disaster in the hands of a black hat." That's because Melamed found a flaw that could be exploited to reveal the email address of any Pinterest user. It could have been heaven for spammers and scammers as Melamed pointed out, "A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes." In his exploit proof of concept video, Melamed shows a Pinterest API link that contains a user's access token. He demonstrated that by swapping the /me/ portion with another Pinterest username, it exposed that user's email address. In fact, the flaw worked with any Pinterest username or user ID. The security team at Pinterest acted quickly to patch the hole and to protect its users' privacy. It then added Melamed to the Heroes of Pinterest list and gave him permission to disclose the exploit. Apparently, the security team at StumbleUpon is not so friendly to security researchers. Melamed discovered a similar security flaw in StumbleUpon, which allowed him to "view the full name, email address, age, gender, and location of any user on StumbleUpon." Although the site patched the hole, it refused to give him permission to disclose the exploit. He added, "Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses." [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Pinterest patched critical security flaw that compromised users' privacy Jake Kouns (Aug 26)