LinkedIn Cross Site Request Forgery

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-001  
- Original release date: January 30th, 2013  
- Last revised: March 25th, 2013  
- Discovered by: Vicente Aguilera Diaz  
- Severity: 4.3/10 (CVSSv2 Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
CSRF vulnerability in LinkedIn  
  
II. BACKGROUND  
-------------------------  
LinkedIn is a social networking service and website (www.linkedin.com)  
for professionals. The site officially launched on May 5, 2003. As of  
September 30, 2012 (the end of the third quarter), professionals are  
signing up to join LinkedIn at a rate of approximately two new members  
per second. Actually, Over 175 million professionals use LinkedIn to  
exchange information, ideas and opportunities.  
  
III. DESCRIPTION  
-------------------------  
CSRF (Cross-site Request Forgery) is an attack which forces an end  
user to execute unwanted actions on a web application in which he/she  
is currently authenticated. With a little help of social engineering  
(like sending a link via email/chat), an attacker may force the users  
of a web application to execute actions of the attacker's choosing. A  
successful CSRF exploit can compromise end user data and operation in  
case of normal user. If the targeted end user is the administrator  
account, this can compromise the entire web application.  
  
More info about CSRF:  
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  
  
LinkedIn is vulnerable to CSRF attacks in the "Add connections"  
functionality. Specifically, in the "Send Invitation" request. The  
only token for authenticate the user is a session cookie, and this  
cookie is sent automatically by the browser in every request.  
  
An attacker can create a page that includes requests to the "Send  
Invitation" functionality of LinkedIn and add to his connections the  
users who, being authenticated, visit the page of the attacker.  
  
The attack is facilitated since the "Send Invitation" request can be  
realized across the HTTP GET method instead of the POST method that is  
realized habitually across the "Send Invitation" form.  
  
IV. PROOF OF CONCEPT  
-------------------------  
Next, we show a typical request to the "Send Invitation" functionality:  
  
POST /fetch/manual-invite-create HTTP/1.1  
Host: www.linkedin.com  
...  
  
emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn&csrfToken=ajax:1234567890123456789&sourceAlias=0_cB6j7zv7bfEcbTWXQyKwqELvCi7FWQRq-jJsq2WDImH  
  
Some parameters are not used/validated by the application, so we can  
remove these parameters from the request:  
- csrfToken  
- sourceAlias  
  
Also, We can use HTTP GET method instead the HTTP POST method used at  
this request. This makes it more easy the exploitation of the CSRF  
vulnerability. So, finally, this HTTP request provoke the same result  
that the original HTTP POST request:  
  
GET  
/fetch/manual-invite-create?emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn  
  
1. An attacker create a web page "csrf-exploit.html" that realize a  
HTTP GET request to the "Send Invitation" functionality.  
  
For example:  
...  
<img  
src="http://www.linkedin.com/fetch/manual-invite-create?emailAddresses=<attacker_email>&subject="  
width=0 height=0>  
...  
  
2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page  
controlled by the attacker.  
  
For example, the attacker sends a mail to the victim (through the  
messaging system that provides LinkedIn is better as it ensures that  
the victim user is authenticated) and provokes that the victim visits  
his page (using social engineering techniques).  
  
3. The attacker receives an invitation request from the victim user,  
so the attacker just accept this invitation and the user is added to  
his connections/contacts.  
  
V. BUSINESS IMPACT  
-------------------------  
A malicious user can access to the information they share users that  
have been added to her contacts without his consent / knowledge.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
LinkedIn service.  
  
VII. SOLUTION  
-------------------------  
Pending.  
  
VIII. REFERENCES  
-------------------------  
http://www.linkedin.com  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by  
Vicente Aguilera Diaz vaguilera (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
January 16, 2013: Initial release  
March 30, 2013: New update  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
January 16, 2013: Vulnerability acquired by  
Internet Security Auditors.  
March 10, 2013: Sent to Sec Team.  
March 15, 2013: Notification about correction.  
March 25, 2013: Sent to lists.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security, penetration testing, security compliance  
implementation and assessing. Our clients include some of the largest  
companies in areas such as finance, telecommunications, insurance,  
ITC, etc. We are vendor independent provider with a deep expertise  
since 2001. Our efforts in R&D include vulnerability research, open  
security project collaboration and whitepapers, presentations and  
security events participation and promotion. For further information  
regarding our security services, contact us.  
  
XIV. FOLLOW US  
-------------------------  
You can follow Internet Security Auditors, news and security  
advisories at:  
https://www.facebook.com/ISecAuditors  
https://twitter.com/ISecAuditors  
http://www.linkedin.com/company/internet-security-auditors  
http://www.youtube.com/  
`