Update 2013-05-12: Pinterest wasn’t really hacked. See follow up to this blog post.
Well, almost hacked. This is rather embarassing (for Pinterest, and maybe AWS?), in that I was able to access what seemed to be their admin page. Furthermore, I discovered through this interface that it seems they do not store passwords encrypted or salted. If I’m not mistaken, I saw usernames, emails, and passwords in plaintext. Let me describe what happened.
I was migrating a Nagios monitoring server, which involved decommissioning the existing EC2 instance and releasing the Elastic IP. Because I didn’t delete my Route 53 DNS entry, and left the Nagios URL open in my browser, I soon noticed that some other content had taken the place in my browser window.
Basically, the apparent Pinterest admin server had requested an Elastic IP from the useast region, and had associated itself to the IP address that I had just released.
A few lessons can be learned from this:
- Pinterest should encrypt and salt their passwords, shame on them for not doing so.
- Pinterest should put their admin server so that it is only accessible from behind a firewall. Ever heard of EC2 security groups? I set up all my servers to expose only certain ports to certain other security groups. Only the external-facing webapp servers have port 80 open to the world.
- Pinterest should put a password on their admin site. Even a shared password internally on the HTTP server is better than having nothing at all.
- A good hacking strategy would be to allocate|associate|disassociate|release Elastic IPs, and to squat on/poll that IP address via several common ports. I got lucky and found one immediately through a browser.
Want proof that I actually did this? How about a screenshot:
My friend tells me that I should also mention that I was able to log in with the emails/passwords leaked. I saved around 37 of them, and tested successful logins for 2 of 2 that I tried. For discretionary purposes, those credentials will not be posted here. However, I will say that those accounts I saw in the admin interface seem to be fake hacker accounts, with the emails being mostly from the same domains.