26 Aug 2013
A critical vulnerability in Pinterest exposed 70 million accounts to potential hacking, according to security researcher Dan Melamed. The exploit allegedly allowed cyber-criminals to view the e-mail addresses of all Pinterest users.
By changing the /me/ part of a link with someone else's username, anyone was able to see that user's email address. According to the researcher, the flaw worked with any user on Pinterest and with any access token.
“With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat,” Dan Melamed said. “A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.”
The security researcher provided a simple fix for the Pinterest exploit. Checking the owner of the access token against the user whose information is being requested will prevent abuse. Melamed also published a video proof of concept for the Pinterest vulnerability.
The platform’s Security Team has said the exploit has been patched and added the security expert to their Heroes List together with two other researchers.