A few weeks ago, I received an invite for Pinterest. I wanted to see what it was all about so I clicked accept invite and proceeded to sign up for an account. At that moment frustration set in, it appeared that to confirm my invite I needed to login to Facebook. While on the surface this appears to be a convenience, for me it was not.
Against my better judgement, I played their game and proceeded to accept the invite. I typed my login to a Facebook account and voila within a few seconds, I now had a Pinterest profile. I also had the benefit that Pinterest was also now tied to my Facebook account, the fact that it was the wrong one well… More on this later. In addition my personal Facebook feed had been updated to reflect that I signed up for Pinterest, and I had some of my friends follow me instantly. I proceeded to add data to my profile and attempt to create a Pinterest only login.
The problem started when I logged into Facebook to accept the invite. After successful login, I went to the Pinterest settings panel and looked at the link to Facebook. What I found shocked me! Somehow even though I logged in with my Facebook account, Pinterest was linked to my daughters. Keep in mind, when I opened the link to accept the Pinterest invite I was in a browser that my daughter uses when on my computer. Because of this the browser had all the Facebook cookies and login credentials for her account, but I authenticated against my Facebook account. Can we say OOPs! This was just all kinds of wrong! Adding insult to injury, remember Pinterest posted on my wall, and I had followers! It took me a few minutes to realize what was going on, when I did I promptly deleted my Pinterest account. I then signed up again with another invite, but I did it in a browser window with all cookies cleared.
Later in the day, I analyzed the situation and this is what I think happened. I received 2 invites to Pinterest, one that I requested from their website and one that a friend sent from Facebook. The one sent from Facebook was opened and I signed up in the browser my daughter uses. Doing this caused Pinterest to verify that I was a real person against my Facebook account, in addition it was smart enough to know I accepted the invite so it posted on my wall. It then read the cookies from the browser and linked to my daughter’s account.
I do still have a Pinterest account, although I am not a frequent user. I also broke the link between Pinterest and Facebook. In addition, this made me speculate and analyze whether or not the common “login with” feature that many websites use is secure. My question is whether or not it could be used for a man in the middle style attack, or to hack into someones account by creating fake authentication credentials. Prior to having this experience I would have said no, but now I am no longer sure. My advice, while using this feature seems convenient I advise against it, when given a choice.
(Disclaimer: Some of the links contained in this post are affliate links. See the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”)