Pinterest And StumbleUpon patch critical flaws that could have exposed over 100 million users’ email addresses: Pinterest and StumbleUpon have patched critical vulnerabilities in their services that could have enabled an attacker to discover users’ email addresses.
The flaws, discovered by security researcher Dan Melamed, were quite simple to exploit and could have been employed to build a huge list of email addresses which would have been extremely valuable to someone looking to profit from the service. As Melamed put it:
With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat. A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.
Melamed discovered that changing a small part of a specific URL to a user’s ID or username would allow him to return a page that displayed their email address.