14 DAY TRIAL // Security researcher Dan Melamed has uncovered a vulnerability in Pinterest that could have been exploited by hackers to see the email address of any user.
This is the link that led to the flaw’s discovery:
https://api.pinterest.com/v3/users/me/?access_token=MTQzMTYwMjozNTcxOTE5NTE2MD QyNjcxNzc6MnwxMzc3MDY4ODMyOjAtLTE2ZWJjN Dg4NzYxYTFmZWIwZmU0ODcxYzc3ZWUyN2E2YTdhOWNlN2I=
The expert found that the “/me/” part of the link could be replaced with any user’s username or ID.
By utilizing any access token, an attacker could have viewed his target’s email address – information that can be used for a number of malicious purposes, including spam campaigns and phishing.
Fortunately, Pinterest rushed to address the issue.
Melamed claims that a similar vulnerability has been identified in StumbleUpon. However, in the case of StumbleUpon, an attacker could have gained access not only to email addresses, but also to the targeted user’s full name, age, gender, and location.
Take a look at the proof-of-concept video published by the security researcher.