{"id":281,"date":"2014-04-30T13:40:33","date_gmt":"2014-04-30T13:40:33","guid":{"rendered":"https:\/\/www.varutra.com\/blog\/?p=281"},"modified":"2023-03-24T15:28:06","modified_gmt":"2023-03-24T09:58:06","slug":"how-secure-is-my-linkedin-account","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/how-secure-is-my-linkedin-account\/","title":{"rendered":"How secure is my LinkedIn account ?"},"content":{"rendered":"


\n\"Magnifying<\/a><\/p>\n

LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections<\/i>. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http:\/\/en.wikipedia.org\/wiki\/LinkedIn<\/a><\/p>\n

End of last year when I was checking my LinkedIn account I thought of giving a try to see how secure is my LinkedIn account. I noticed few very interesting but dangerous security issues.<\/p>\n

Given below are few of the security issues I thought of sharing for learning purpose. Security issues mentioned below are only those, which have already got patched by LinkedIn recently.<\/p>\n

<\/b>Consider the following scenario:<\/span><\/p>\n

Any valid LinkedIn user logs into his\/her account and can Change\/Add new Email address. Once user adds a new Email address, LinkedIn server sends a mail on the given (new) Email address with a message \u201cPlease confirm your email address\u201d.<\/p>\n

This looks like a normal process of adding a new Email Id. Isn’t it?<\/p>\n

But there is an issue here,<\/p>\n

LinkedIn does not force user or wait for user to confirm the newly added Email address and instead allows access to the LinkedIn account with the new Email address immediately.<\/p>\n

An attacker can send a crafted link to the victim ( i.e. valid LinkedIn account holder) for adding an arbitrary Email address to his\/her LinkedIn account. Attacker can send this crafted link on victim\u2019s valid Email Id. Here attacker can try to use CSRF attack vulnerability.<\/p>\n

For me it was not that simple to carry out CSRF attack, as it seemed that LinkedIn application was using adequate measures such as CSRF tokens. <\/i><\/p>\n

After few analysis what was observed that if I know the server generated CSRF token of an authenticated session of victim then I can get this working and still carry out the attack on the victim.<\/p>\n

There is one trick to collect User\u2019s CSRF token using Social Engineering technique, that is by asking victim user to show the Sign Out button, or some feature of LinkedIn etc. While she shows her logged in screens at that time quickly note down the CSRF token by either viewing the web page source or simply hovering the mouse pointer on Sign Out button as shown in the POC screenshot.<\/p>\n

\"1\"<\/a><\/p>\n

Figure 1: Application shows complete link with CSRF token on the Sign Out Button
\n<\/em><\/p>\n

Needless to say with Google Glass like technology where user can click photos on the fly will make this task very easy, as attacker just needs to view and take a snapshot of the screen showing the link with CSRF token, etc.<\/p>\n

Let’s assume that attacker is successful in sending the crafted link to add a custom Email address on victim\u2019s LinkedIn account. Attacker can achieve this either by the trick we talked above or finding actual CSRF vulnerability in the application.\u00a0 And that\u2019s possible. In next blog I will discuss about how I found CSRF attack on LinkedIn.<\/p>\n

Now let us continue understanding other important security issues,<\/p>\n

The crafted CSRF link by attacker will be<\/p>\n

https:\/\/www.linkedin.com \/settings\/manage-email-submit?a ddEmail=custom_email_id&csrfToken= ajax%3A0988969076258526585<\/i><\/b><\/p>\n

On executing this link new Email address will get added into victim\u2019s LinkedIn account without her knowledge. Let us see what happens then,<\/p>\n

LinkedIn adds new Email address without any confirmation from the user.<\/span><\/b><\/p>\n

\"Application<\/a>
\nFigure 2: Application has added new Email address.<\/em><\/p>\n

Lets ask a question here – After adding a custom Email address (in this case kishorsonawane08@null<\/span>gmail.com) by sending a crafted link to the victim, will LinkedIn still protect the victim by forcing him\/her to first confirm the new Email address and then only activate it?<\/p>\n

Ideally any secure application should confirm by the account holder whether she had added any new Email address. But that was not the case with LinkedIn.<\/p>\n

Without confirming the new Email address let us try to access the forgot password page and enters new Email address so that LinkedIn can send password reset token \/ code.<\/p>\n

\"3\"<\/a>
\nFigure 3: Accessing LinkedIn forgot password page<\/em><\/p>\n

Shockingly, without confirming the newly added Email address, LinkedIn has sent the \u2018Password RESET\u2019 token on newly added Email Id. Bingo!!!<\/p>\n

LinkedIn activates the new Email address without getting any confirmation from the user<\/b> and sends password reset link .<\/span><\/b><\/p>\n

As you must have observed that the password reset token was sent on newly added Email address meaning on attacker\u2019s Email address.<\/p>\n

\"4\"<\/a>Figure 4: LinkedIn has sent a mail with password-reset token\/link.<\/em><\/p>\n

\"5\"<\/a><\/p>\n

\u00a0Figure 5: Attacker can set new password and also reset all other recovery options and compromise the account completely.<\/em><\/p>\n

There was one more severe issue observed here.<\/p>\n

\u00a0User cannot remove arbitrary Email address from LinkedIn account, which was added by attacker.<\/span><\/b><\/p>\n

If victim comes to know that he\/she has not added the new Email address and wants to remove it then also he\/she cannot do it. Isn\u2019t it more shocking???<\/p>\n

Application does not remove newly added Email address and force user\/victim to first complete the confirmation by log in to the account.<\/p>\n

Now the biggest question here is how can victim user will confirm this new Email address, which he\/she has not added as well as has no access to that Email account also.<\/p>\n

If user tries to remove this Email address from LinkedIn, application shows following message that the address has been removed but in reality IT WILL NOT. If user checks the email settings she will found that the Email address has not gone. So victim is helpless here.<\/p>\n

\"Secure<\/a><\/p>\n

\u00a0Figure 6: Application shows that the newly added Email has gone but it does not remove it in reality.<\/em><\/p>\n

\u00a0Insecure Password Reset Module<\/span><\/b><\/p>\n

LinkedIn enables the password-reset link for 24 hours. Ideally as a best practice, on clicking the password reset link and successfully resetting the password, the link should become inactive. But even after resetting the password this link will be valid for 24 hours, which is dangerous in case of the account is compromised, and attacker has the password-reset link on his Email address.<\/p>\n

This means if user comes to know that his account might be compromised with other Email address and if he\/she changes the password, still attacker can use the password-reset link to change the password again and take control of it.<\/p>\n

When contacted LinkedIn they have accepted these issues and mitigated them. Few more issues are getting patched. Till then happy Social Networking.<\/p>\n

Read it on packet storm\u00a0<\/a><\/p>\n

Written By,<\/p>\n

Attack & PenTest Team,<\/em><\/p>\n

Varutra Consulting<\/em><\/p>","protected":false},"excerpt":{"rendered":"

LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of…<\/p>\n","protected":false},"author":3,"featured_media":3386,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[140,261,266,267,57,272],"tags":[56],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t