What I’m going to share with you today, is something I’ve never shared publicly before – how my son hacked and defaced the Pinterest website at the age of two. Understandably, you may ask, “how is this possible?”. Well, the answer is website security or the lack of it. I’m going to explain to you how the incident unfolded, along with screenshot evidence in the hope it will help others understand the importance of website security.
The fateful day was September 11, 2012. I was with my family staying at Rainbow Bay at Coolangatta just over the border into Queensland on a bit of a working holiday.
Around this time, I had been experimenting with Pinterest and had built up an account with 20-30,000 followers. I had a website that went with it and I was reviewing my referral traffic to see how everything was going and how much traffic Pinterest was driving. Ordinarily, traffic from Pinterest came from a referral path such as pinterest.com/pin/195977021272039526/ where the number string was a reference number to a particular pin, this day I saw something different: pinterest.com/220calave/feed/whitelist/top_sources/ (This link no longer works).
This still shows up in my Google Analytics referrer data (see screenshot below)
Naturally, I copied that URL and plugged it into a browser to see what it was, at first it didn’t make a whole lot of sense – there was just a list of text links, I took off the end of the URL /top_sources/ and all of a sudden I was staring at the Pinterest admin interface, I couldn’t really believe my eyes.
My curiosity got the better of me, and I started clicking around. I got blocked a lot of the time, with access denied error messages, it turned out, this whitelist section was the only area I actually had access to.
Category Whitelisting
Category whitelisting appeared to be an interface that allowed the admin to whitelist domains, users and individual boards. Any image that was pinned that matched a whitelisting (whether, domain, user or board) would automatically go onto the category home page. This meant being on the whitelist in any of those sections was very beneficial to gaining exposure, repins and hence more traffic.
The following screenshot is of the Photography category. Note, my username was whitelisted in another category.
The Defacing
It was around this time as I became aware of what I had stumbled upon that my son came and sat on my lap. To my horror, he started bashing my keyboard, the screen flashed multiple times in front of me before I could grab his hands to stop him.
It wasn’t really clear at first what had actually happened until I noticed that in the Outdoors Category, all the whitelisted websites and all the whitelisted boards were Cars and Motorcycle! My son in his keyboard bashing had copied the whitelist from Cars & Motorcycles and pasted them into the Outdoors category.
And this is how the Outdoor category now looked on the front end of the website
Coming Clean
When I realised what had happened I tried to work out who to contact at Pinterest, it was easy finding the right person, so I fired off a few emails and sent a few LinkedIn messages.
No one ever replied, but obviously the word got through. Within a few hours, the Outdoor Category was back showing Outdoorsy things and I could no longer access their admin.