Pinterest And StumbleUpon patch critical flaws that could have exposed over 100 million users' email addresses

Filed Under: Featured, Privacy, Security threats, Social networks

Pinterest logoPinterest and StumbleUpon have patched critical vulnerabilities in their services that could have enabled an attacker to discover users' email addresses.

The flaws, discovered by security researcher Dan Melamed, were quite simple to exploit and could have been employed to build a huge list of email addresses which would have been extremely valuable to someone looking to profit from the service. As Melamed put it:

With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat. A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.

Melamed discovered that changing a small part of a specific URL to a user's ID or username would allow him to return a page that displayed their email address.

He gave an example URL on his blog which demonstrated how it would return the email address for the user 'pinterest':

pinterest flaw

This flaw works with any user on Pinterest. It works with either a username or a user id. And it works with any access token. A solution to this problem, is to check the owner of the access token against the user whose information is being requested.

He also posted a video as a proof of concept:

Melamed shared his discovery with the Pinterest security team who he said responded quickly to protect users' privacy.

Pinterest also recognised him in its Heroes of Pinterest list and gave him permission to share his findings with the security community.

Stumble Upon logoThe security researcher had an altogether different experience with StumbleUpon, a site that caters to some 30 million users. He discovered a similar flaw that allowed him to view the name, age, gender, location and email address of any of its users but was unable to gain permission to reveal the exploit.

An email from Barry Conway, StumbleUpon Community Advocate said,

"As far as I understand it, the team deployed a fix for the specific issue which you so kindly reported to us, and they were - as you might imagine - conducting a code review to make sure that nothing similar had been released into the wild"

We do understand that you'd like to publish, and in that respect we hope that you appreciate that we are not in a position to actively "give you permission" to do so, nor officially support this move. I imagine we're not alone in preferring to take a "no comment" stance on the subject of security (and other aspects of how our system works!)"

While it is good to see that StumbleUpon have patched the flaw that was identified, I'm still somewhat disappointed by its "no comment" stance. Dan Melamed has done StumbleUpon a great service and I believe the site could have benefited from being more receptive to the security community in this instance.

As Melamed himself said, "Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses."

I, for one, am glad that a security researcher was the first person to discover this and that he shared the details in a responsible manner.

, ,

You might like

2 Responses to Pinterest And StumbleUpon patch critical flaws that could have exposed over 100 million users' email addresses

  1. Guest · 769 days ago

    I've got several friends who got "did you try to change your password" emails from Pintrest in the last couple weeks. I don't think the security researcher was the first to figure this out.

  2. Nigel · 769 days ago

    I've had one series of interactions with StumbleUpon that forever turned me off to having an account with them. They required me to provide them with my date of birth (D.O.B.) upon registration. I wouldn’t do it. Sure, I could lie about it, but the Terms of Service agreement requires me to provide registration information that is "truthful and accurate". They want to turn me into a liar.

    When I inquired about the D.O.B. requirement, they advised me that its purpose is to certify that I meet their minimum age requirement. I replied, "Then why not just ask me to certify that I meet the requirement? Why do you want my D.O.B.? If you have a security breach, that gives me much greater exposure to the hazard of identity theft.,"

    Long story short, they wouldn't budge. And now comes this news about a potential security breach. It pretty much validates my original conclusion—namely, that they care more about getting their hands on my personal information than they do about my risk in giving it to them. And their "no comment" stance seems entirely consistent with the intransigence I previously experienced. I'll have nothing to do with StumbleUpon until they get more serious about security.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.