I’ve started seeing an uptick in Twitter spam – ostensibly from my friends telling me I can make money online. The common denominator is that they all use Pinterest as a vector for spreading the spam.
Looking at the accounts of people who have recently tweeted these or similar messages, shows that the majority are real people – not automated spam-bots. So how is this happening?
Checking the Tweet’s metadata, the tweets all appear to come from the Pinterest service. This indicates two possibilities.
- Users’ Pinterest accounts / passwords have been compromised.
- It is possible to trick people into posting onto Pinterest – if their accounts are set to auto share, the link will be sent to other social networks.
I would imagine Pinterest would have announced a serious security breach, so let’s examine the second possibility.
Pinterest are quite good at closing spam accounts which is why spammers have taken to hijacking accounts of members in good standing.
How might they do this? Pinterest offers a developer API which lets website owners add “Pin It” buttons to the page. I imagine that malicious developers have found a way to trick users into clicking a “post to Pinterest” link, or are somehow automating it.
If you have been affected by this, please change your Pinterest password – and consider turning off “auto tweeting”. If you are particularly paranoid, revoke Pinterest’s access to your Twitter account.