Pinterest security flaw uncovered

August 28, 2013

Pinterest has been made aware of a security flaw that could make the personal details of its users accessible to anyone.

Security researcher Dan Melamed discovered the issue, which makes the email address of anybody on Pinterest visible, simply by providing a username or ID.

The expert has recommended that the site checks the owner of the access token against the user whose information has been requested, which would help ensure that data does not end up in the wrong hands.

Pinterest has taken action to rectify the flaw – perhaps after carrying out a security audit of its own – after the severity of a potential breach was recognised.

Melamed explained that a hacker could have set up a bot, which would have been able to retrieve all of the email addresses before using them for spam or other malicious purposes.

A similar issue was uncovered on the site StumbleUpon, which enabled the security researcher to view users’ full names, email addresses, age, gender and location.

He noted that by exploiting these two sites, hackers could have access to in excess of 100 million email addresses, which may prove dangerous if they were to be used by hackers.