Pinterest and StumbleUpon have patched critical vulnerabilities in their services that could have enabled an attacker to discover users’ email addresses.
The flaws, discovered by security researcher Dan Melamed, were quite simple to exploit and could have been employed to build a huge list of email addresses which would have been extremely valuable to someone looking to profit from the service. As Melamed put it:
With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat. A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.
Melamed discovered that changing a small part of a specific URL to a user’s ID or username would allow him to return a page that displayed their email address.
He gave an example URL on his blog which demonstrated how it would return the email address for the user ‘pinterest’:
This flaw works with any user on Pinterest. It works with either a username or a user id. And it works with any access token. A solution to this problem, is to check the owner of the access token against the user whose information is being requested.
He also posted a video as a proof of concept:
Melamed shared his discovery with the Pinterest security team who he said responded quickly to protect users’ privacy.
Pinterest also recognised him in its Heroes of Pinterest list and gave him permission to share his findings with the security community.
The security researcher had an altogether different experience with StumbleUpon, a site that caters to some 30 million users. He discovered a similar flaw that allowed him to view the name, age, gender, location and email address of any of its users but was unable to gain permission to reveal the exploit.
An email from Barry Conway, StumbleUpon Community Advocate said,
"As far as I understand it, the team deployed a fix for the specific issue which you so kindly reported to us, and they were - as you might imagine - conducting a code review to make sure that nothing similar had been released into the wild"
We do understand that you'd like to publish, and in that respect we hope that you appreciate that we are not in a position to actively "give you permission" to do so, nor officially support this move. I imagine we're not alone in preferring to take a "no comment" stance on the subject of security (and other aspects of how our system works!)"
While it is good to see that StumbleUpon have patched the flaw that was identified, I’m still somewhat disappointed by its “no comment” stance. Dan Melamed has done StumbleUpon a great service and I believe the site could have benefited from being more receptive to the security community in this instance.
As Melamed himself said, “Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.”
I, for one, am glad that a security researcher was the first person to discover this and that he shared the details in a responsible manner.