14 DAY TRIAL // Pinterest, the pinboard social media website whose popularity increased so much that even Facebook’s CEO Mark Zuckerberg signed up, was found to contain a number of vulnerabilities that could allow an attacker to cause serious damage.
Shadab Siddiqui, the security researcher that lately provided us with tons of information regarding the presence of vulnerabilities in some major websites, found that the site which has more than 10 million active users is really poor in the security department.
Siddiqui identified a cross-site scripting (XSS) vulnerability and an iframe injection issue that could allow hackers to hijack user accounts and perform other malicious operations.
With the aid of another security researcher, Deepanker Verma, he found a URL redirection flaw that could be leveraged to redirect the site’s visitors to other potentially malicious domains.
The experts provided us with three screenshots that prove the existence of the flaws, along with a proof of concept that demonstrates the URL redirection security hole.
We have contacted Pinterest’s administrators and sent them all the information needed to identify and patch up the problems. Hopefully, they’ll address the weaknesses to prevent any unfortunate incidents that may affect their customers.
Siddiqui also discovered a large number of vulnerabilities on the official website of Alshaya, one of the largest retail companies in the Middle East.
After being notified by the researcher, Alshaya patched up some of the flaws, but it seems that a lot of holes still exist.
“I had already informed them and they had just patched directory listing vulnerability through which the database details can be found,” he told us.
The site still contains an XSS, multiple SQL injection issues, and a CRSF vulnerability.
At the time of writing, the website is working intermittently which may indicate the fact that its administrators are working on addressing the security holes.
Update. Pinterest representatives rushed to address the issue we've reported which proves once again that companies which really care about their customers' safety can collaborate well with security researchers and grey hats.
