Removed Employees Can See Invited Users Accept/Decline Invitations on Pinterest Business

Description

On Pinterest, there is a business manager feature that has 3 roles, namely account owner, employee, and partner. The account owner can invite employees to his business with 2 roles such as employees (employee/manager role). Employees (manager role) can invite other users to become employees (with any role) or partners. I found this issue when employees (manager role) still received notifications that other users accepted their invitation/not in the victim’s business even though the account owner had deleted them (the inviter) from the business manager.

Impact

This bug allows removed employees to see whether users invited to the victim’s business accepted/declined the invitation.

Reproduction Steps

Users

• User A and C (victims)
• User B (attacker)

Account types

• User A, B, and C (business)

Steps

1. From User A invite User B to your business as an employee and give him the role of “Manager”.
2. From User B accept the invitation.
3. From User B invite User C to User A’s business as an employee and give him any role.
4. From User A delete User B from your business.
5. From User C accept the invitation.
6. From User B check the notification sent to your email > you will see that User C has just accepted your invitation to User A’s business > if there is no notification within 14 days, it means that User C rejected the invitation or he deliberately let the link expire.

Timeline

August 10, 2024 : Submit report via Bugcrowd

August 12, 2024 : Triaged

August 15, 2024 : Points awarded

August 15, 2024 : Close report as Informational