In the recent past, we have seen that many social networks have been struggling with hacks and leaks which allow access to information about user accounts. It now seems that Pinterest has finally made the list. Dan Melamed found a critical vulnerability in the social network which would allow a potential hacker to view the emails of millions of users.
Dan Melamed is a notable security researcher and the exploit he has discovered may seem a trifling, but it does breach the privacy of millions of users in a serious manner. According to Melamed, the flaw exposes the email IDs of nearly 70 million users. This essentially means that a hacker, by exploiting the flaw, can see the emails of all these users and then use that information for any nefarious purpose.
Melamed has posted on his blog that the critical flaw can be exploited simply be going to the following URL:
https://api.pinterest.com/v3/users/me/?access_token=MTQzMTYwMjozNTcxOTE5NTE2MDQyNjcxNzc6MnwxMzc3MDY4ODMyOjAtLTE2ZWJjNDg4NzYxYTFmZWIwZmU0ODcxYzc3ZWUyN2E2YTdhOWNlN2I=
Once you’ve opened this page, it would display the information of your own Pinterest account, if you’re logged in. Now, all you have to is replace the ‘/me/’ part with the username of anyone else. This will immediately reveal the information specific to that particular account.
Melamed also posted a proof-of-concept video to highlight the issue further. This video is posted below:
Apparently, a similar exploit was found in StumbleUpon a while ago, also discovered by Melamed. StumbleUpon eventually patched this exploit and we hope that Pinterest will also be quick to take care of this.
Source: Dan Melamed
[ttjad keyword=”keyboard”]
