{"id":650,"date":"2014-06-30T10:04:10","date_gmt":"2014-06-30T10:04:10","guid":{"rendered":"https:\/\/www.varutra.com\/blog\/?p=650"},"modified":"2022-12-02T17:01:06","modified_gmt":"2022-12-02T11:31:06","slug":"csrf-vulnerability-on-linkedin","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/csrf-vulnerability-on-linkedin\/","title":{"rendered":"CSRF Vulnerability on LinkedIn"},"content":{"rendered":"


\n\"csrf_linkedin\"<\/a><\/b><\/p>\n

In previous blog <\/a> we have seen a critical vulnerability in LinkedIn password reset module allowing an attackers to compromise LinkedIn user\u2019s account and how helpless a LinkedIn user in case of an actual compromise of his \/ her account in real world scenario.<\/p>\n

Here is a new vulnerability Cross-Site Request Forgery, CSRF present on LinkedIn Recommendation Section, which allows attacker to delete any Recommendation of Any user.\u00a0 <\/b><\/p>\n

 <\/p>\n

Lets us understand the CSRF issue and simplicity of this attack.<\/b><\/h3>\n

1. Attacker \/ malicious LinkedIn user can check the recommendation given by LinkedIn User 1 to LinkedIn User 2.<\/p>\n

2. Attacker logs into LinkedIn account, goes to the web page source and search for strings such as \u201cRecommendation for USERNAME\u201d.<\/p>\n

\"csrf<\/a><\/p>\n

\u00a0Figure: Web page source shows the recommendation details with a unique Id \u201d515940281\u201d for User 1\u2019s recommendations to User 2.<\/p>\n

 <\/p>\n

3. To craft a malicious CSRF link attacker goes to Manage Recommendation<\/strong> area and check for any recommendations he has posted for others. \u00a0Clicks on it and copy the URL for any one recommendation.<\/p>\n

The URL will be<\/p>\n

https:\/\/www.linkedin.com\/recommendations?dep=&recID=515830421&goback=%2Enas_*1_*1_*1%2Eprs<\/a><\/p>\n

\"Cross-Site<\/a><\/p>\n

Figure: Analyzing and collecting URL for Displaying and Withdrawing a User’s recommendation.
\n<\/span><\/p>\n

\u00a04. Now same way the URL to withdraw any given recommendation by the attacker is<\/p>\n

https:\/\/www.linkedin.com\/recommendations?wdr=&recID=515830421&goback=%2Enas_*1_*1_*1%2Eprs<\/a><\/p>\n

The only difference is to change the parameter from \u2018dep\u2019 to \u2018wdr\u2019.<\/p>\n

Craft a URL for removing or withdrawing recommendation from User 1 to User 2 is<\/p>\n

https:\/\/www.linkedin.com\/recommendations?wdr=&recID=515940281<\/a><\/p>\n

This is the shortest and simplest form of the vulnerable CSRF link.<\/p>\n

5. Send this URL to User 1 in an email. More dangerously, the same CSRF link can be send using LinkedIn mail feature.<\/p>\n

6. On clicking this link by User 1 the selected recommendation given by User 1 to User 2 will be withdrawn or deleted.<\/p>\n

 <\/p>\n

On reporting this issue LinkedIn was prompt to acknowledge the vulnerability and have mitigated it.<\/strong><\/em><\/p>\n

More can be read at http:\/\/packetstormsecurity.com\/files\/127259\/<\/a><\/p>\n

Written By,<\/p>\n

Attack & PenTest Team,<\/em><\/p>\n

Varutra Consulting<\/em><\/p>","protected":false},"excerpt":{"rendered":"

In previous blog we have seen a critical vulnerability in LinkedIn password reset module allowing an attackers to compromise LinkedIn user\u2019s account and how helpless…<\/p>\n","protected":false},"author":3,"featured_media":3240,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[140,276,261,266,267],"tags":[59,60,61],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t