exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LinkedIn User Account Handling

LinkedIn User Account Handling
Posted Jul 29, 2014
Authored by Kishor Sonawane

LinkedIn suffered from a user account handling vulnerability.

tags | exploit, csrf
SHA-256 | dd6ed709186c8feeaebc535e20b97700385afcfc7f3bff6f93e8a57396aa2011

LinkedIn User Account Handling

Change Mirror Download
=============================================
Varutra Consulting Responsible Vulnerability Disclosure
- Vulnerability release date: November 11th, 2013
- Last revised: February 5th, 2014
- Discovered by: Kishor Sonawane, Varutra Consulting
=============================================

1. VULNERABILITY
-------------------------
Multiple vulnerabilities in LinkedIn User Account Handling

2. BACKGROUND
-------------------------
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn

LinkedIn has already hit the 300 million users mark in 2014.

3. DESCRIPTION
-------------------------
There are multiple security issues in LinkedIn user account handling.

In a normal scenario a LinkedIn user logs into his/her account and can change existing Email address or add new Email address. User can use any of the Email addresses to login into LinkedIn account.

It was observed that following security issues are present in LinkedIn

a. LinkedIn adds new Email address without any confirmation from the user.
By simply adding a new Email address will make it fully functioning immediately.

This means if an attacker manages to add an arbitrary Email Id to a victim user's LinkedIn account then it will not need any verification.
Also, an attacker can ask for password reset link from LinkedIn forgot password page immediately after adding the arbitrary Email id to a victim's account and own his/her account.

b. User (LinkedIn account owner) cannot remove the arbitrary Email address (added by an attacker) from his own LinkedIn account.

So if the victim comes to know that an unknown Email Id has got added to his/her account still they cannot remove it as LinkedIn does not process the request of removal successfully and only shows a false message that the Email Id has been removed.

c. Insecure password reset module

Even after password reset link is used and user has changed the password, this link will be activated for 24 hours where attacker can reset the password again and again. This way once compromised account can not be secured again by the victim user.

4. PROOF OF CONCEPT
-------------------------------

Steps to conduct the attack.
I. Attacker use some techniques such as CSRF like vulnerability to Social Engineering and adds a custom Email Id to victim's LinkedIn account.
II. Attacker goes to LinkedIn forgot password page and reset victim's password by providing the newly added Email id.
III. Attacker accesses the password reset link from custom Email id account and owns victim's LinkedIn account.
IV. Victim user on knowing that his account is compromised will try to remove the newly added custom Email Id/attacker's Email Id but cannot remove it.
V. Victim user will reset his password with his own account but attacker will again access the same password reset link and reset the password to continue having access to victim's LinkedIn account.


5. BUSINESS IMPACT
-------------------------
An attacker can compromise a LinkedIn user account and can retain his access forever.

6. SYSTEMS AFFECTED
-------------------------
LinkedIn service

7. SOLUTION
-------------------------
Resolved by LinkedIn

8. REFERENCES
-------------------------
http://www.linkedin.com
http://www.varutra.com

9. CREDITS
-------------------------
This vulnerability has been discovered by
Kishor (at) varutra (dot) com

10. REVISION HISTORY
-------------------------
November 11, 2013: Initial release
February 05, 2014: New update

11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.

12. ABOUT
-------------------------
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile application and network infrastructure.
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk.

13. FOLLOW US
-------------------------
You can follow Varutra Consulting, news and security advisories at:

http://varutra.com/news.php
https://www.facebook.com/pages/Varutra-Consulting/136105459900291
https://www.linkedin.com/company/varutra-consulting
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close