LinkedIn Cross Site Request Forgery

2014-06-27T00:00:00
ID PACKETSTORM:127259
Type packetstorm
Reporter Kishor Sonawane
Modified 2014-06-27T00:00:00

Description

                                        
                                            `=============================================  
Varutra Consulting Responsible Vulnerability Disclosure  
- Vulnerability release date: November 20th, 2013  
- Last revised: May 4th, 2014  
- Discovered by: Kishor Sonawane, Varutra Consulting  
=============================================  
  
1. VULNERABILITY  
-------------------------  
CSRF vulnerability in LinkedIn allowing remote attacker to delete any user’s recommendations  
  
2. BACKGROUND  
-------------------------  
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn  
  
LinkedIn has already hit the 300 million users mark in 2014.   
  
3. DESCRIPTION  
-------------------------  
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.   
  
More info about CSRF:  
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  
  
LinkedIn is vulnerable to CSRF attacks in the "one of the most important “Recommendations" functionality. LinkedIn allows rather facilitates a user to check recommendations given to other users. It will be shown as Recommendations for ‘UserName’   
  
An attacker can craft a request to delete the received recommendations and send it to the victim user. The can be carried out with simply GET method. Attacker does not need a separate medium to send the malicious CSRF request but can use the LinkedIn mail feature only.   
  
4. PROOF OF CONCEPT  
-------------------------------  
  
An attacker can view his/her own recommendations and collect the following URL.   
  
Here is a typical request to delete a recommendation for a logged in user.   
  
https://www.linkedin.com/recommendations?wdr=&recID=123456789&goback=%2Enas_*1_*1_*1%2Eprs  
The recID is a unique request Id generated by LinkedIn for each of the recommendation a user receives.   
  
In a simplest form the request will be  
  
https://www.linkedin.com/recommendations?wdr=&recID=123456789   
  
This request Id can be obtained by web page source while viewing victim user’s recommendation.   
  
Steps to conduct the attack.   
I. Attacker visits victim uses LinkedIn account and view the recommendations received.   
II. Attacker goes to the page source on his own browser and gets the victim user’s recommendations request Id.   
III. Attacker craft the malicious CSRF request and sends it to the victim thorough LinkedIn mail  
IV. On clicking the link victim’s recommendation will be withdrawn / deleted.   
  
  
  
5. BUSINESS IMPACT  
-------------------------  
An attacker can withdraw / delete any user’s any recommendation.  
  
6. SYSTEMS AFFECTED  
-------------------------  
LinkedIn service  
  
7. SOLUTION  
-------------------------  
Resolved by LinkedIn   
  
8. REFERENCES  
-------------------------  
http://www.linkedin.com  
http://www.varutra.com  
  
9. CREDITS  
-------------------------  
This vulnerability has been discovered by  
Kishor (at) varutra (dot) com  
  
10. REVISION HISTORY  
-------------------------  
November 20, 2013: Initial release  
May 04, 2014: New update  
  
11. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.  
  
12. ABOUT  
-------------------------  
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile devices and network.  
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk.   
  
13. FOLLOW US  
-------------------------  
You can follow Varutra Consulting, news and security advisories at:  
  
http://varutra.com/news.php  
https://www.facebook.com/pages/Varutra-Consulting/136105459900291   
`