LinkedIn Clickjacking / Open Redirection

2012-09-15T00:00:00
ID PACKETSTORM:116596
Type packetstorm
Reporter Ajay Singh Negi
Modified 2012-09-15T00:00:00

Description

                                        
                                            ` Linkedin's Clickjacking & Open Url Redirection Vulnerabilities  
  
# Vulnerability Title: Secondary Email Addition & Deletion Via Click  
Jacking in Linkedin  
# Website Link: [Tried on Indian version]  
# Found on: 06/08/2012  
# Author: Ajay Singh Negi  
# Version: [All language versions would be vulnerable]  
# Tested on: [Indian version]  
# Reported On: 07/08/2012  
# Status: Fixed  
# Patched On: 10/09/2012  
# Public Release: 15/09/2012  
  
  
  
  
*Summary*  
  
A Clickjacking vulnerability existed on Linkedin that allowed an attacker  
to add or delete a secondary email and can also make existing secondary  
email as primary email by redressing the manage email page.  
  
*Details*  
  
Linkedin manage email page (a total of 1 page) was lacking X-FRAME-OPTIONS  
in Headers and Frame-busting javascript measures to prevent framing of the  
pages. So the manage email page could be redressed to 'click-jack' Linkedin  
users. Below I have mentioned the vulnerable Url.  
  
  
*1. Click Jacking Vulnerable Url:*  
https://www.linkedin.com/settings/manage-email?goback=.nas_*1_*1_*1<http://www.google.com/url?q=https%3A%2F%2Fwww.linkedin.com%2Fsettings%2Fmanage-email%3Fgoback%3D.nas_*1_*1_*1&sa=D&sntz=1&usg=AFQjCNGkjluV_mUQz-l0-O4AE2x6J5lKqA>  
  
  
  
# Vulnerability Title: Open Url Redirection in Linkedin  
# Website Link: [Tried on Indian version]  
# Found on: 05/08/2012  
# Author: Ajay Singh Negi  
# Version: [All language versions would be vulnerable]  
# Tested on: [Indian version]  
# Reported On: 06/08/2012  
# Status: Fixed  
# Patched On: 07/09/2012  
# Public Release: 15/09/2012  
  
  
  
*Summary*  
  
Open Url Redirection using which an attacker can redirect any Linkedin user  
to any malicious website. Below I have mentioned the vulnerable Url.  
  
  
*Original Open Url Redirection Vulnerable Url:*  
  
https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/https%3A%2F%2Fhelp.linkedin.com%2Fapp%2Fhome%2Fh%2Fc%2Ffrom_auth%2Ftrue  
  
  
  
*Crafted Open Url Redirection Vulnerable Url:*  
https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/http%3A%2F%2Fattacker.in<http://www.google.com/url?q=https%3A%2F%2Fhelp.linkedin.com%2Fapp%2Futils%2Flog_error%2Fet%2F0%2Fec%2F7%2Fcallback%2Fhttp%253A%252F%252Fattacker.in&sa=D&sntz=1&usg=AFQjCNHwFbje3XOKHpKQ48bGat-sG-MjCQ>  
  
  
POC can be found on below mentioned Url:  
http://computersecuritywithethicalhacking.blogspot.in/2012/09/linkedins-clickjacking-open-url.html  
`