With Pinterest surpassing more than 70 million users, and given the amount of high-profile figures and brands that are using the site, email harvesting could have potentially devastating effects in the hands of the wrong person.
“Such a flaw could have spelled disaster in the hands of a blackhat,” noted security researcher Dan Melamed in a blog post covering the vulnerability. “A hacker could have set up a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.”
Pinterest has now patched the issue, and went so far as to add Melamed to its “Heroes of Pinterest” list. But the way the flaw works could be common to other platforms and bears looking at. Melamed, for example, said that this was not the first time he’s encountered this type of flaw.
“I would also like to say that I had discovered the same type of security flaw in StumbleUpon,” he noted. “I was able to view the full name, email address, age, gender and location of any user on StumbleUpon. Unfortunately, they never gave me permission to disclose the exploit, even after they patched it. So I'm not going to write about the StumbleUpon flaw in particular.”
That flaw would have opened up 30 million emails to attacker harvesting.
The way the Pinterest vulnerability works is like this: The access token within the Pinterest API hook-in for accounts was presented with a standard naming convention. So viewing one’s own account information part of the string says “/me/,” designating the account for which to show information. But by simply changing the “/me/” part of the link to someone else's username, that user's email address is revealed.
“This flaw works with any user on Pinterest,” Melamed said. “It works with either a username or a user id. And it works with any access token. A solution to this problem is to check the owner of the access token against the user whose information is being requested.”
Apparently, the Pinterest Security Team listened, and confirmed that the exploit has been patched.
“My experience with Pinterest has been outstanding. I'm glad that Pinterest is much more open to the discussion of security issues,” said Melamed. “Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.”