LinkedIn Join Group Cross Site Request Forgery

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-016  
- Original release date: June 8th, 2013  
- Last revised: July 11th, 2013  
- Discovered by: Eduardo Garcia Melia  
- Severity: 4.3/10 (CVSSv2 Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
CSRF vulnerability in LinkedIn  
  
II. BACKGROUND  
-------------------------  
LinkedIn is a social networking service and website (www.linkedin.com)  
for professionals. The  
  
site officially launched on May 5, 2003. As of September 30, 2012 (the  
end of the third quarter),  
  
professionals are signing up to join LinkedIn at a rate of approximately  
two new members per  
  
second. Actually, Over 175 million professionals use LinkedIn to  
exchange information, ideas and  
  
opportunities.  
  
III. DESCRIPTION  
-------------------------  
CSRF (Cross-site Request Forgery) is an attack which forces an end user  
to execute unwanted  
  
actions on a web application in which he/she is currently authenticated.  
With a little help of  
  
social engineering (like sending a link via email/chat), an attacker may  
force the users of a web  
  
application to execute actions of the attacker's choosing. A successful  
CSRF exploit can  
  
compromise end user data and operation in case of normal user. If the  
targeted end user is the  
  
administrator account, this can compromise the entire web application.  
  
More info about CSRF:  
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  
  
LinkedIn is vulnerable to CSRF attacks in the "Join Groups"  
functionality. The only token for  
  
authenticate the user is a session cookie, and this cookie is sent  
automatically by the browser  
  
in every request.  
  
LinkedIn Groups provide a place for professionals in the same industry  
or with similar interests  
  
to share content, find answers, post and view jobs, make business  
contacts, and establish  
  
themselves as industry experts.  
  
An attacker can create a page that includes requests to the "Join Group"  
functionality of  
  
LinkedIn and add to his group the users who, being authenticated, visit  
the page of the attacker.  
  
The attack is facilitated since the "Join Group" request can be realized  
across the HTTP GET  
  
method instead of the POST method that is realized habitually across the  
"Join Group" button.  
  
IV. PROOF OF CONCEPT  
-------------------------  
Next, we show a typical request to the "Join Group" functionality:  
  
POST /nhome/nux/group HTTP/1.1  
Host: www.linkedin.com  
...  
  
grpId=<GROUPID>trk=nux-group-join  
  
Also, We can use HTTP GET method instead the HTTP POST method used at  
this request. This makes it  
  
more easy the exploitation of the CSRF vulnerability. So, finally, this  
HTTP request provoke the  
  
same result that the original HTTP POST request:  
  
GET /nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join HTTP/1.1  
Host: www.linkedin.com  
...  
  
1. An attacker create a web page "csrf-exploit.html" that realize a HTTP  
GET request to the "Join  
  
Group" functionality.  
  
For example:  
...  
<img  
src="http://www.linkedin.com/nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join"  
width=0  
  
height=0>  
...  
  
2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page  
controlled by the  
  
attacker.  
  
For example, the attacker sends a mail to the victim (through the  
messaging system that provides  
  
LinkedIn is better as it ensures that the victim user is authenticated)  
and provokes that the  
  
victim visits his page (using social engineering techniques).  
  
3. The attacker receives an invitation request from the victim user, so  
the attacker just accept  
  
this invitation and the user is added to his group.  
  
V. BUSINESS IMPACT  
-------------------------  
A malicious user can make the victims send a petition for join his group  
without his consent /  
  
knowledge.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
LinkedIn service.  
  
VII. SOLUTION  
-------------------------  
Pending.  
  
VIII. REFERENCES  
-------------------------  
http://www.linkedin.com  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by  
Eduardo Garcia Melia egarcia(at)isecauditors(dot)com).  
  
X. REVISION HISTORY  
-------------------------  
June 08, 2013: Initial release  
June 11, 2013: New update  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
June 11, 2013: Vulnerability acquired by  
Internet Security Auditors.  
July 11, 2013: Sent to LinkedIn SecTeam.  
August 15, 2013: Vulnerability was solved for LinkedIn SecTeam.  
October 17, 2013: Disclosure  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or  
  
guarantees of fitness of use or otherwise. Internet Security Auditors  
accepts no responsibility  
  
for any damage caused by the use or misuse of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security,  
  
penetration testing, security compliance implementation and assessing.  
Our clients include some  
  
of the largest companies in areas such as finance, telecommunications,  
insurance, ITC, etc. We  
  
are vendor independent provider with a deep expertise since 2001. Our  
efforts in R&D include  
  
vulnerability research, open security project collaboration and  
whitepapers, presentations and  
  
security events participation and promotion. For further information  
regarding our security  
  
services, contact us.  
  
XIV. FOLLOW US  
-------------------------  
You can follow Internet Security Auditors, news and security advisories at:  
https://www.facebook.com/ISecAuditors  
https://twitter.com/ISecAuditors  
http://www.linkedin.com/company/internet-security-auditors  
http://www.youtube.com/  
`