

Pinterest hacked? - franksvalli
http://www.jontsai.com/2013/05/11/aws-ec2-security-vulnerability-and-pinterest-hacked/

======
fiatpandas
This looks like a spam bot command and control center. Highly doubt this is
what the author thinks he stumbled into.

Edit: biggest giveaway besides the add user page asking for a session and csrf
token is the "failing accounts" and fail logs, which the spammer likely uses
to figure out which accounts have been banned from posting or throttled.

~~~
rallison
This actually makes the post interesting for an entirely different reason. I'd
love to see further analysis on the accounts contained in this c&c center.
Given that the author has the user names of a number of likely spambot
accounts, I imagine one could glean some useful information from this.

------
entropyneur
Pretty sure that is not Pinterest:

* The admin looks way too trivial for a site of that magnitude

* Pinterest is built with Django which comes with a secure auth framework included that stores passwords hashed and salted

* Why would Pinterest refer to their own users as "Pinterest users"?

Looks more like a Pinterest spam bot to me.

~~~
Uchikoma
What about "My friend tells me that I should also mention that I was able to
log in with the emails/passwords leaked."?

~~~
entropyneur
Well, if it's a spam bot that creates Pinterest user accounts then one would
obviously be able to log in to those accounts.

~~~
amccloud
I think it's used to manage accounts and could be used for spam. The giveaway
is the form asking for csrf token and session id; both required for Django to
authenticate and accept a POST request.

------
amccloud
Last time I checked, Pinterest is built on Django. They would explicitly need
to go out of their way to store password insecurely.

Also, the fact that the form in your screenshot ask for csrf token and session
id is very odd.

I'd argue that you found something that wasn't built by Pintest but instead
someone's tool for controlling and managing multiple Pinterest accounts.

~~~
est
Django by default use salted bcrypt, why would anyone NOT doing that?

Adding a change password function to a custom model is too trivial

    
    
        class MyUser(models.Model):
          password = models.CharField(max_length=128)
          set_password = django.contrib.auth.models.User.set_password.__func__
          check_password = django.contrib.auth.models.User.check_password.__func__
    

And you can do with your instance with set_password() or check_password() like
Django's admin User.

------
jtchang
Really interesting but not pinterest getting hacked. This is simply an admin
interface to spam pinterest.

CSRF token and sessionid is probably needed to create an account directly
because by default django has CSRF protection built in and maybe in order to
hit the create account page you need to manually grab it.

------
jontsai
Hey everyone, I'm the author of that post. Needless to say, I was wrong and
ya'll were right. I made a follow-up entry in case anyone is interested:
[http://www.jontsai.com/security/2013/05/12/pinterest-
wasnt-h...](http://www.jontsai.com/security/2013/05/12/pinterest-wasnt-
hacked/)

As I mention there, there was still a minute possibility that even if this
didn't belong to Pinterest, it could have been an internal tool for a small
team or an employee hack day/side project that got accidentally exposed.

------
bifrost
oops. The elastic IP reuse problem is actually pretty interesting/funny
because I've seen a few scenarios.

The easiest one is cross site scripting sourced from a recently de-comissioned
elastic IP. Its easy, really easy in fact. So much so that its been done more
than once (duh).

Its been used for phishing, except the IP wasn't hijacked or misused, it was
just reused by someone who was attentive enough to wonder what all that HTTP
traffic was about.

Its been used for "shocksiting", where all of a sudden, your favorite AWS
hosted website redirects to one of the more famous shocksites, serves an ad
and makes them money. I won't share any of the links here, they're easy to
find.

This current pinterest problem is pretty bad, I just checked the date on my
machine and its 2013 so nobody with any sense should be storing unencrypted
passwords. Even ROT13 would be better than nothing...

------
wilfra
[http://www.quora.com/Pinterest/Why-does-Pinterest-store-
pass...](http://www.quora.com/Pinterest/Why-does-Pinterest-store-passwords-in-
plaintext/answer/Tracy-Chou?srid=hLJt&share=1)

Q: Why does Pinterest store passwords in plaintext?

A: Tracy Chou, software engineer at Pinterest - "We don't."

