seeing is believing

LinkedIn Cross Site Request Forgery

LinkedIn Cross Site Request Forgery
Posted Jun 27, 2014
Authored by Kishor Sonawane

LinkedIn suffered from a cross site request forgery vulnerability.

tags | exploit, csrf
MD5 | 22f5c4cf80ff5ae2a049522d2411c39e

LinkedIn Cross Site Request Forgery

Change Mirror Download
=============================================
Varutra Consulting Responsible Vulnerability Disclosure
- Vulnerability release date: November 20th, 2013
- Last revised: May 4th, 2014
- Discovered by: Kishor Sonawane, Varutra Consulting
=============================================

1. VULNERABILITY
-------------------------
CSRF vulnerability in LinkedIn allowing remote attacker to delete any user’s recommendations

2. BACKGROUND
-------------------------
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn

LinkedIn has already hit the 300 million users mark in 2014.

3. DESCRIPTION
-------------------------
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

LinkedIn is vulnerable to CSRF attacks in the "one of the most important “Recommendations" functionality. LinkedIn allows rather facilitates a user to check recommendations given to other users. It will be shown as Recommendations for ‘UserName’

An attacker can craft a request to delete the received recommendations and send it to the victim user. The can be carried out with simply GET method. Attacker does not need a separate medium to send the malicious CSRF request but can use the LinkedIn mail feature only.

4. PROOF OF CONCEPT
-------------------------------

An attacker can view his/her own recommendations and collect the following URL.

Here is a typical request to delete a recommendation for a logged in user.

https://www.linkedin.com/recommendations?wdr=&recID=123456789&goback=%2Enas_*1_*1_*1%2Eprs
The recID is a unique request Id generated by LinkedIn for each of the recommendation a user receives.

In a simplest form the request will be

https://www.linkedin.com/recommendations?wdr=&recID=123456789

This request Id can be obtained by web page source while viewing victim user’s recommendation.

Steps to conduct the attack.
I. Attacker visits victim uses LinkedIn account and view the recommendations received.
II. Attacker goes to the page source on his own browser and gets the victim user’s recommendations request Id.
III. Attacker craft the malicious CSRF request and sends it to the victim thorough LinkedIn mail
IV. On clicking the link victim’s recommendation will be withdrawn / deleted.



5. BUSINESS IMPACT
-------------------------
An attacker can withdraw / delete any user’s any recommendation.

6. SYSTEMS AFFECTED
-------------------------
LinkedIn service

7. SOLUTION
-------------------------
Resolved by LinkedIn

8. REFERENCES
-------------------------
http://www.linkedin.com
http://www.varutra.com

9. CREDITS
-------------------------
This vulnerability has been discovered by
Kishor (at) varutra (dot) com

10. REVISION HISTORY
-------------------------
November 20, 2013: Initial release
May 04, 2014: New update

11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.

12. ABOUT
-------------------------
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile devices and network.
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk.

13. FOLLOW US
-------------------------
You can follow Varutra Consulting, news and security advisories at:

http://varutra.com/news.php
https://www.facebook.com/pages/Varutra-Consulting/136105459900291

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close