Twenty Year Anniversary

LinkedIn User Account Handling

LinkedIn User Account Handling
Posted Jul 29, 2014
Authored by Kishor Sonawane

LinkedIn suffered from a user account handling vulnerability.

tags | exploit, csrf
MD5 | 0f506810937697f765f95d3f52c94d14

LinkedIn User Account Handling

Change Mirror Download
=============================================
Varutra Consulting Responsible Vulnerability Disclosure
- Vulnerability release date: November 11th, 2013
- Last revised: February 5th, 2014
- Discovered by: Kishor Sonawane, Varutra Consulting
=============================================

1. VULNERABILITY
-------------------------
Multiple vulnerabilities in LinkedIn User Account Handling

2. BACKGROUND
-------------------------
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn

LinkedIn has already hit the 300 million users mark in 2014.

3. DESCRIPTION
-------------------------
There are multiple security issues in LinkedIn user account handling.

In a normal scenario a LinkedIn user logs into his/her account and can change existing Email address or add new Email address. User can use any of the Email addresses to login into LinkedIn account.

It was observed that following security issues are present in LinkedIn

a. LinkedIn adds new Email address without any confirmation from the user.
By simply adding a new Email address will make it fully functioning immediately.

This means if an attacker manages to add an arbitrary Email Id to a victim user's LinkedIn account then it will not need any verification.
Also, an attacker can ask for password reset link from LinkedIn forgot password page immediately after adding the arbitrary Email id to a victim's account and own his/her account.

b. User (LinkedIn account owner) cannot remove the arbitrary Email address (added by an attacker) from his own LinkedIn account.

So if the victim comes to know that an unknown Email Id has got added to his/her account still they cannot remove it as LinkedIn does not process the request of removal successfully and only shows a false message that the Email Id has been removed.

c. Insecure password reset module

Even after password reset link is used and user has changed the password, this link will be activated for 24 hours where attacker can reset the password again and again. This way once compromised account can not be secured again by the victim user.

4. PROOF OF CONCEPT
-------------------------------

Steps to conduct the attack.
I. Attacker use some techniques such as CSRF like vulnerability to Social Engineering and adds a custom Email Id to victim's LinkedIn account.
II. Attacker goes to LinkedIn forgot password page and reset victim's password by providing the newly added Email id.
III. Attacker accesses the password reset link from custom Email id account and owns victim's LinkedIn account.
IV. Victim user on knowing that his account is compromised will try to remove the newly added custom Email Id/attacker's Email Id but cannot remove it.
V. Victim user will reset his password with his own account but attacker will again access the same password reset link and reset the password to continue having access to victim's LinkedIn account.


5. BUSINESS IMPACT
-------------------------
An attacker can compromise a LinkedIn user account and can retain his access forever.

6. SYSTEMS AFFECTED
-------------------------
LinkedIn service

7. SOLUTION
-------------------------
Resolved by LinkedIn

8. REFERENCES
-------------------------
http://www.linkedin.com
http://www.varutra.com

9. CREDITS
-------------------------
This vulnerability has been discovered by
Kishor (at) varutra (dot) com

10. REVISION HISTORY
-------------------------
November 11, 2013: Initial release
February 05, 2014: New update

11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.

12. ABOUT
-------------------------
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile application and network infrastructure.
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk.

13. FOLLOW US
-------------------------
You can follow Varutra Consulting, news and security advisories at:

http://varutra.com/news.php
https://www.facebook.com/pages/Varutra-Consulting/136105459900291
https://www.linkedin.com/company/varutra-consulting

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close