Users without roles are able to find out whether the “Invite other people” feature on a Pinterest…

When inviting other users to a group board, a POST request is sent to the /_/graphql/ endpoint with some parameters in the body. By changing the value of the boardId parameter to the target group board ID, in the response body we can find out whether the board owner has the “Invite other people” feature enabled or not through the response differences.

Users without roles can see whether the group board owner has the “Invite other people” feature enabled on the group board or not.

Users

User A (victim)User B (attacker)

Steps

From User B get the grup board ID that User A has.From User B, invite another user to your grup board by intercepting the request.A POST request will be sent to the /_/graphql/ endpoint with some parameters in the body like {"queryHash":"random_hash","variables":"collaboratorIds":["another_user_id"],"boardId":"attacker_grup_board_id","message":""}Change the value of the boardId parameter to the target group board ID > send request.Response when the feature is active,{"data":{"v3InviteBoardCollaboratorsMutation":{"__typename":"ClientError","__isError":"ClientError","error":{"message":"Victim needs to be a follower.","paramPath":null}}}}

6. Response when the feature is not active,

{"data":{"v3InviteBoardCollaboratorsMutation":{"__typename":"ClientError","__isError":"ClientError","error":{"message":"Only the owner of this group board can invite collaborators.","paramPath":null}}}}

August 24, 2024 : Submit a report via Bugcrowd

August 28, 2024 : Triager sends a message to the Pinterest team

August 31, 2024 : Pinterest staff changes to P5 — Resolved