Critical Pinterest Exploit Compromised User Privacy http://t.co/Cb8wVVQ9Y0— Dan Melamed (@thedanmelamed) August 24, 2013
Since its opening in 2010, Pinterest’s popularity has grown a great deal, but with that popularity comes the people looking for exploits within the site; security researcher Dan Melamed might have found one of the more egregious examples.
Melamed’s discovery could expose the information of more than 70 million accounts registered on Pinterest. He discovered that modifying an ‘access_token’ URL would make it possible to view the email address associated with the account. As his YouTube video shows, it takes little time to do.
While viewing an email address alone would not be enough to take over an account, it opens the doors to other problems; someone could easily harvest those email addresses for nefarious purposes. If that were to happen, a hacker could gain millions of email addresses with very little effort on their behalf.
Melamed contacted Pinterest’s security team about this bug and they have now confirmed it to be fixed. This exploit no longer works, but it remains a reminder about how little effort this would have taken prior to the fix. Miraculously, it seems, nobody ever took advantage of this.
Source: The Hacker News