by Cameron Camp Security Researcher
We recently highlighted a security walkthrough on Pinterest.com, the pinboard style sharing website that’s taking the social media by storm. Since then, they’ve continued to grow, and continued to have accompanying growing pains common in organizations with rapid growth. Here we highlight ways they are adapting, changes they are making, and what it means to you.
First, we note that Pinterest, by one account, drives more referral traffic than Twitter, no small feat. We also read that traffic spiked 52 percent between January and February, from 11.7 million unique visitors to 17.8 million, according to a comScore report. On its meteoric rise, it has faced issues ranging from copyright problems to fake gift card scams, and now we are seeing cybercrooks focus squarely on the platform as a delivery method for their scams to potential new/unfamiliar audiences.
The gift card scams start by purporting to offer free goods or services, ranging from coffee gift cards to free iPads. We’ve seen this before with more traditional web-based scams, but here the scam is tailored to Pinterest, coaxing the user to click on the pinned entry and visit endless survey websites before getting the alleged gift card. The twist is that scammers add a step required to “get your free gift card” that includes you re-pinning the original scam, thereby spreading it in your name, seeming to be coming from you instead of the original scammer. From there, some users are encouraged as a final step before getting the gift card, to install software, which would guarantee a steady supply of pop-up ads and other potentially unwanted applications, or worse. While Pinterest has attempted to crack down on these scams, and users become familiar to them and get wise, still the scams are propagating.
Then, there is the issue of copyright. While not strictly a security issue, still users could become exposed to potential violation of copyright of a given work, to the chagrin of more than a few users. It seems that a user is expected to comply with the copyright of a photo they post, for example. But what happens when that same image gets re-pinned, possibly extending its exposure far beyond the scope of the original copyright, a burden which the old terms of service attempted to place on the original poster? That (and other related) policy has been updated with the recently release updated Terms of Service, which you can read here.
Now we see Pinterest has produced an API interface for other apps to interact with the service, so we’ll wait and see if this exposes new security risks or exploits. To address this, other services have enlisted a paid bounty program to reward researchers for finding and reporting issues rather than exploit them, which seems to be effective at Facebook and Google for some time now. Hopefully Pinterest will consider some such program, or crowd-sourced variations, which will beef up the number of security specialists watching for problems – hopefully before they happen.
In the meantime, many users have been caught off guard by the amount of their Facebook information (since you are required to use either Facebook or Twitter account to sign up for Pinterest) which seems to “magically” appear on Pinterest, when they login to the site, especially pins from users whose names are familiar – from the Facebook friend list. One way to ensure that a minimum of information is cross-shared (if you are predisposed to restrict it for security reasons, to protect data sprawl, or otherwise) is to restrict your sharing settings in you Pinterest settings page. By ratcheting these down, you can exercise more control over what portion of your friends’ information that may ooze over to Pinterest, for uses they see fit.
We’ll continue to keep an eye on the security stance of the service as it continues to expand. But the usual advice applies: watch for offers that look “too good to be true”, and use a more minimalist approach to sharing and cross-sharing across your friends/contacts from various social media. You’ll be glad you did, and so will your friends, whose information may be more well-protected against data sprawl, and its accompanying problems.					
					
				