Unprivileged Users Can See Whether “Invite other people” Feature is Enabled/Disabled on Pinterest Group Boards

Description

Normally only group board collaborators can see whether the "Invite other people" feature is active or not. When inviting other users to a group board, a POST request is sent to the /_/graphql/ endpoint with some parameters in the body. By changing the value of the boardId parameter to the target group board ID, in the response body we can find out whether the board owner has the “Invite other people” feature enabled or not through the response differences.

Impact

This bug allows users without roles to see whether the group board owner has the “Invite other people” feature enabled on the group board or not.

Reproduction Steps

Users

• User A (victim)
• User B (attacker)

Steps

1. From User B get the grup board ID that User A has.
2. From User B, invite another user to your grup board by intercepting the request.
3. A POST request will be sent to the /_/graphql/ endpoint with some parameters in the body like {"queryHash":"random_hash","variables":"collaboratorIds":["another_user_id"],"boardId":"attacker_grup_board_id","message":""}
4. Change the value of the boardId parameter to the target group board ID > send request.
5. Response when the feature is active,

{"data":{"v3InviteBoardCollaboratorsMutation":{"__typename":"ClientError","__isError":"ClientError","error":{"message":"Victim needs to be a follower.","paramPath":null}}}}

6. Response when the feature is not active,

{"data":{"v3InviteBoardCollaboratorsMutation":{"__typename":"ClientError","__isError":"ClientError","error":{"message":"Only the owner of this group board can invite collaborators.","paramPath":null}}}}

Timeline

August 24, 2024 : Submit a report via Bugcrowd

August 28, 2024 : Triager sends a message to the Pinterest team

August 31, 2024 : Pinterest staff changes to P5 — Informational — Resolved