what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

LinkedIn Join Group Cross Site Request Forgery

LinkedIn Join Group Cross Site Request Forgery
Posted Oct 18, 2013
Authored by Eduardo Garcia Melia | Site isecauditors.com

LinkedIn suffered from a cross site request forgery vulnerability in the Join Group functionality.

tags | exploit, csrf
SHA-256 | 442cba9a0c6a978e69874ca3310a79b3dd238196b467f3e2045742bf6b7bdf18

LinkedIn Join Group Cross Site Request Forgery

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2013-016
- Original release date: June 8th, 2013
- Last revised: July 11th, 2013
- Discovered by: Eduardo Garcia Melia
- Severity: 4.3/10 (CVSSv2 Base Score)
=============================================

I. VULNERABILITY
-------------------------
CSRF vulnerability in LinkedIn

II. BACKGROUND
-------------------------
LinkedIn is a social networking service and website (www.linkedin.com)
for professionals. The

site officially launched on May 5, 2003. As of September 30, 2012 (the
end of the third quarter),

professionals are signing up to join LinkedIn at a rate of approximately
two new members per

second. Actually, Over 175 million professionals use LinkedIn to
exchange information, ideas and

opportunities.

III. DESCRIPTION
-------------------------
CSRF (Cross-site Request Forgery) is an attack which forces an end user
to execute unwanted

actions on a web application in which he/she is currently authenticated.
With a little help of

social engineering (like sending a link via email/chat), an attacker may
force the users of a web

application to execute actions of the attacker's choosing. A successful
CSRF exploit can

compromise end user data and operation in case of normal user. If the
targeted end user is the

administrator account, this can compromise the entire web application.

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

LinkedIn is vulnerable to CSRF attacks in the "Join Groups"
functionality. The only token for

authenticate the user is a session cookie, and this cookie is sent
automatically by the browser

in every request.

LinkedIn Groups provide a place for professionals in the same industry
or with similar interests

to share content, find answers, post and view jobs, make business
contacts, and establish

themselves as industry experts.

An attacker can create a page that includes requests to the "Join Group"
functionality of

LinkedIn and add to his group the users who, being authenticated, visit
the page of the attacker.

The attack is facilitated since the "Join Group" request can be realized
across the HTTP GET

method instead of the POST method that is realized habitually across the
"Join Group" button.

IV. PROOF OF CONCEPT
-------------------------
Next, we show a typical request to the "Join Group" functionality:

POST /nhome/nux/group HTTP/1.1
Host: www.linkedin.com
...

grpId=<GROUPID>trk=nux-group-join

Also, We can use HTTP GET method instead the HTTP POST method used at
this request. This makes it

more easy the exploitation of the CSRF vulnerability. So, finally, this
HTTP request provoke the

same result that the original HTTP POST request:

GET /nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join HTTP/1.1
Host: www.linkedin.com
...

1. An attacker create a web page "csrf-exploit.html" that realize a HTTP
GET request to the "Join

Group" functionality.

For example:
...
<img
src="http://www.linkedin.com/nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join"
width=0

height=0>
...

2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page
controlled by the

attacker.

For example, the attacker sends a mail to the victim (through the
messaging system that provides

LinkedIn is better as it ensures that the victim user is authenticated)
and provokes that the

victim visits his page (using social engineering techniques).

3. The attacker receives an invitation request from the victim user, so
the attacker just accept

this invitation and the user is added to his group.

V. BUSINESS IMPACT
-------------------------
A malicious user can make the victims send a petition for join his group
without his consent /

knowledge.

VI. SYSTEMS AFFECTED
-------------------------
LinkedIn service.

VII. SOLUTION
-------------------------
Pending.

VIII. REFERENCES
-------------------------
http://www.linkedin.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Eduardo Garcia Melia egarcia(at)isecauditors(dot)com).

X. REVISION HISTORY
-------------------------
June 08, 2013: Initial release
June 11, 2013: New update

XI. DISCLOSURE TIMELINE
-------------------------
June 11, 2013: Vulnerability acquired by
Internet Security Auditors.
July 11, 2013: Sent to LinkedIn SecTeam.
August 15, 2013: Vulnerability was solved for LinkedIn SecTeam.
October 17, 2013: Disclosure

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or

guarantees of fitness of use or otherwise. Internet Security Auditors
accepts no responsibility

for any damage caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security,

penetration testing, security compliance implementation and assessing.
Our clients include some

of the largest companies in areas such as finance, telecommunications,
insurance, ITC, etc. We

are vendor independent provider with a deep expertise since 2001. Our
efforts in R&D include

vulnerability research, open security project collaboration and
whitepapers, presentations and

security events participation and promotion. For further information
regarding our security

services, contact us.

XIV. FOLLOW US
-------------------------
You can follow Internet Security Auditors, news and security advisories at:
https://www.facebook.com/ISecAuditors
https://twitter.com/ISecAuditors
http://www.linkedin.com/company/internet-security-auditors
http://www.youtube.com/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close