Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneTushar6378H1:1716300
HistorySep 29, 2022 - 6:46 a.m.

LinkedIn: Unauthorized User can View Subscribers of Other Users Newsletters

2022-09-2906:46:34
tushar6378
hackerone.com
5
linkedin
server-side authorization
api vulnerability
subscriber list disclosure
bug bounty
JSON

Issue description

A creator can create a newsletter, the followers can subscribe to the newsletter. The owner of the newsletter can view the subscriber list by clicking the “subscriber” button.

Server-side authorization checks are missing on
GET /voyager/api/voyagerPublishingDashSeriesSubscribers?decorationId=com.linkedin.voyager.dash.deco.publishing.SeriesSubscriberMiniProfile-2&count=10&q=contentSeries&seriesUrn=urn%3Ali%3Afsd_contentSeries%3A<NewsletterId>&start=0 HTTP/2". This gives an attacker the ability to view the subscriber list of other users’ newsletters by replaying the vulnerable request using the victim NewsletterIdwhich is public.

Steps:

  1. Create a newsletter.
  2. Open the newsletter and click on “subscriber”.
  3. Capture the vulnerable request.
  4. Replay the vulnerable request using victim’s NewsletterId.
  5. The response will disclose the subscriber list and their details in the API Response.

Impact

An attacker can view the subscriber list and details of other users’ newsletters even though it is not possible through the application UI. by just replaying the vulnerable request with the victim’s ``NewsletterId".

JSON