• United States



Pinterest patched critical security flaw that compromised users’ privacy

Aug 26, 20134 mins
Data and Information SecurityEnterprise ApplicationsMicrosoft

Security researcher Dan Melamed found a flaw that could have compromised the privacy of over 70 million photo-loving Pinterest users.

If you like photos, then you most likely love Pinterest. A French study by Semiocast in July found that the highly addictive photo-pinning social media site had 70 million Pinterest users, of which 70% are in America. If a person with malicious intent were able to harvest all the email accounts tied to Pinterest, it would have been a highly unpleasant user experience. Thankfully, it was a good guy who found and reported a flaw that could have compromised the privacy of over 70 million photo-loving Pinterest people.

[SLIDESHOW: Head-spinning history of the Propeller Beanie]

Security researcher Dan Melamed discovered a critical Pinterest vulnerability that “could have spelled disaster in the hands of a black hat.” That’s because Melamed found a flaw that could be exploited to reveal the email address of any Pinterest user. It could have been heaven for spammers and scammers as Melamed pointed out, “A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.”

In his exploit proof of concept video, Melamed shows a Pinterest API link that contains a user’s access token. He demonstrated that by swapping the /me/ portion with another Pinterest username, it exposed that user’s email address. In fact, the flaw worked with any Pinterest username or user ID.

The security team at Pinterest acted quickly to patch the hole and to protect its users’ privacy. It then added Melamed to the Heroes of Pinterest list and gave him permission to disclose the exploit.

Apparently, the security team at StumbleUpon is not so friendly to security researchers. Melamed discovered a similar security flaw in StumbleUpon, which allowed him to “view the full name, email address, age, gender, and location of any user on StumbleUpon.” Although the site patched the hole, it refused to give him permission to disclose the exploit.

He added, “Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.”

Tidbits about Pinterest

Pinterest launched in 2010 with just 15 employees; it now has 140 employees. Although “Pinterest has yet to accept advertising,” it may start “experimenting with monetization” within the next year. USA Today estimated that the site has about 50 million monthly visitors, many of whom “spend hours on the site every day.”

The social media site came out of nowhere and “emerged as a power player” for driving website traffic. Folio reported that Pinterest now drives more than 20% of traffic, “topping legacy referrers such as Google and Yahoo.” If you’ve been wondering if you should utilize Pinterest to help promote your brand or business, then it was suggested that you should “realize the lifespan of a pin.”

A pin lives longer than any other piece of social content. A Tweet can disappear within minutes, and thanks to Facebook’s algorithms, a post might not even be seen by 70 percent of your audience. But with Pinterest, a site might experience a spike in traffic from content pinned 30 days ago.

A recent study published in the Harvard Business Review found “that nearly a quarter (21%) of Pinterest users headed to the store to buy an item they liked or pinned on their own board” and “most customers (80%) tend to buy within three weeks of pinning.”

Happy pinning! And a big thank you to Dan Melamed for reporting a flaw in the site that could have compromised our privacy by handing our email addresses over to spammers.

Like this? Here’s more posts:

  • LOVEINT: Abusing NSA surveillance power in the name of ‘love’
  • Black Hat: Smart TVs are the ‘perfect target’ for spying on you
  • Tech and legal site shuts down, citing government email surveillance
  • Privacy & security nightmares: Hacking smart toilets, smart toys, smart homes
  • Shocker: Despite domestic spying denials, NSA broke privacy rules thousands of times
  • Careful Windows Phone 8 users, connect to rogue Wi-Fi & hackers can steal passwords
  • UK govt leak police destroyed Guardian hard drives to stop secret surveillance stories
  • Is having your photo featured on Bing homepage enough reason to give up your rights?
  • Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure
  • Cautionary tales: Teen beauty queen and baby spied on via hacked cameras
  • Cross-platform virus spreading as Microsoft expands MAPP program
  • Black Hat: It’s not ‘tricky’ for hackers to turn your phone into a SpyPhone
  • USA PRISM Plus, the perfect NSA photo-sharing app for those who have nothing to hide

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.