exploit the possibilities

LinkedIn Cross Site Request Forgery

LinkedIn Cross Site Request Forgery
Posted Jun 27, 2014
Authored by Kishor Sonawane

LinkedIn suffered from a cross site request forgery vulnerability.

tags | exploit, csrf
MD5 | 22f5c4cf80ff5ae2a049522d2411c39e

LinkedIn Cross Site Request Forgery

Change Mirror Download
=============================================
Varutra Consulting Responsible Vulnerability Disclosure
- Vulnerability release date: November 20th, 2013
- Last revised: May 4th, 2014
- Discovered by: Kishor Sonawane, Varutra Consulting
=============================================

1. VULNERABILITY
-------------------------
CSRF vulnerability in LinkedIn allowing remote attacker to delete any user’s recommendations

2. BACKGROUND
-------------------------
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn

LinkedIn has already hit the 300 million users mark in 2014.

3. DESCRIPTION
-------------------------
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

LinkedIn is vulnerable to CSRF attacks in the "one of the most important “Recommendations" functionality. LinkedIn allows rather facilitates a user to check recommendations given to other users. It will be shown as Recommendations for ‘UserName’

An attacker can craft a request to delete the received recommendations and send it to the victim user. The can be carried out with simply GET method. Attacker does not need a separate medium to send the malicious CSRF request but can use the LinkedIn mail feature only.

4. PROOF OF CONCEPT
-------------------------------

An attacker can view his/her own recommendations and collect the following URL.

Here is a typical request to delete a recommendation for a logged in user.

https://www.linkedin.com/recommendations?wdr=&recID=123456789&goback=%2Enas_*1_*1_*1%2Eprs
The recID is a unique request Id generated by LinkedIn for each of the recommendation a user receives.

In a simplest form the request will be

https://www.linkedin.com/recommendations?wdr=&recID=123456789

This request Id can be obtained by web page source while viewing victim user’s recommendation.

Steps to conduct the attack.
I. Attacker visits victim uses LinkedIn account and view the recommendations received.
II. Attacker goes to the page source on his own browser and gets the victim user’s recommendations request Id.
III. Attacker craft the malicious CSRF request and sends it to the victim thorough LinkedIn mail
IV. On clicking the link victim’s recommendation will be withdrawn / deleted.



5. BUSINESS IMPACT
-------------------------
An attacker can withdraw / delete any user’s any recommendation.

6. SYSTEMS AFFECTED
-------------------------
LinkedIn service

7. SOLUTION
-------------------------
Resolved by LinkedIn

8. REFERENCES
-------------------------
http://www.linkedin.com
http://www.varutra.com

9. CREDITS
-------------------------
This vulnerability has been discovered by
Kishor (at) varutra (dot) com

10. REVISION HISTORY
-------------------------
November 20, 2013: Initial release
May 04, 2014: New update

11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.

12. ABOUT
-------------------------
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile devices and network.
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk.

13. FOLLOW US
-------------------------
You can follow Varutra Consulting, news and security advisories at:

http://varutra.com/news.php
https://www.facebook.com/pages/Varutra-Consulting/136105459900291
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close