Rohmad Hidayah

Published On: 09 Oct 2024

$200

Removed Collaborators Can Delete Pins on Pinterest Group Boards

Other
General | Web
---
LOW INVALID
Description

On Pinterest public group boards, if a collaborator is removed, they will not be able to delete Pins on the group board. However, they can still delete Pins they saved on the group board, even if the owner removes them from the group board.

Impact

This bug allows a removed collaborator to still be able to delete pins they saved on a public group board.




Reproduction Steps

Step
1

Users

- User A (attacker)

- User B (victim)

Group board types

- Public

Steps

1. From User B, invite User A to your public board (use existing/create new).

2. From User A, accept the invitation > then look for any pin and save it to the group board.

3. From User B, delete User A from the group board.

4. From User A, visit the group board and try deleting the pin you saved > the pin will be deleted.

Videos

Timeline
.
Rohmad 23 May 2024

Submit a report via Bugcrowd

08 Jun 2024

Triager failed to reproduce Triager reproduces this issue with a secret group board.

.
Rohmad 08 Jun 2024

Additional information sent Provides information that this issue is impacting public group boards.

11 Jun 2024

Triaged

.
Rohmad 18 Jun 2024

Ask about updates

20 Jun 2024

Unresolved - Bounty awarded Sorry for the delay and thanks for the submission, you should receive your bounty shortly.

08 Oct 2024

Close report as N/A Hi thanks for the submission, this turned out to be expected behavior.

INVALID






Show All Images