LinkedIn User Account Handling

2014-07-29T00:00:00
ID PACKETSTORM:127659
Type packetstorm
Reporter Kishor Sonawane
Modified 2014-07-29T00:00:00

Description

                                        
                                            `=============================================  
Varutra Consulting Responsible Vulnerability Disclosure  
- Vulnerability release date: November 11th, 2013  
- Last revised: February 5th, 2014  
- Discovered by: Kishor Sonawane, Varutra Consulting  
=============================================  
  
1. VULNERABILITY  
-------------------------  
Multiple vulnerabilities in LinkedIn User Account Handling  
  
2. BACKGROUND  
-------------------------  
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn  
  
LinkedIn has already hit the 300 million users mark in 2014.   
  
3. DESCRIPTION  
-------------------------  
There are multiple security issues in LinkedIn user account handling.   
  
In a normal scenario a LinkedIn user logs into his/her account and can change existing Email address or add new Email address. User can use any of the Email addresses to login into LinkedIn account.   
  
It was observed that following security issues are present in LinkedIn  
  
a. LinkedIn adds new Email address without any confirmation from the user.   
By simply adding a new Email address will make it fully functioning immediately.   
  
This means if an attacker manages to add an arbitrary Email Id to a victim user's LinkedIn account then it will not need any verification.   
Also, an attacker can ask for password reset link from LinkedIn forgot password page immediately after adding the arbitrary Email id to a victim's account and own his/her account.   
  
b. User (LinkedIn account owner) cannot remove the arbitrary Email address (added by an attacker) from his own LinkedIn account.   
  
So if the victim comes to know that an unknown Email Id has got added to his/her account still they cannot remove it as LinkedIn does not process the request of removal successfully and only shows a false message that the Email Id has been removed.   
  
c. Insecure password reset module  
  
Even after password reset link is used and user has changed the password, this link will be activated for 24 hours where attacker can reset the password again and again. This way once compromised account can not be secured again by the victim user.   
  
4. PROOF OF CONCEPT  
-------------------------------  
  
Steps to conduct the attack.   
I. Attacker use some techniques such as CSRF like vulnerability to Social Engineering and adds a custom Email Id to victim's LinkedIn account.  
II. Attacker goes to LinkedIn forgot password page and reset victim's password by providing the newly added Email id.   
III. Attacker accesses the password reset link from custom Email id account and owns victim's LinkedIn account.   
IV. Victim user on knowing that his account is compromised will try to remove the newly added custom Email Id/attacker's Email Id but cannot remove it.   
V. Victim user will reset his password with his own account but attacker will again access the same password reset link and reset the password to continue having access to victim's LinkedIn account.   
  
  
5. BUSINESS IMPACT  
-------------------------  
An attacker can compromise a LinkedIn user account and can retain his access forever.  
  
6. SYSTEMS AFFECTED  
-------------------------  
LinkedIn service  
  
7. SOLUTION  
-------------------------  
Resolved by LinkedIn   
  
8. REFERENCES  
-------------------------  
http://www.linkedin.com  
http://www.varutra.com  
  
9. CREDITS  
-------------------------  
This vulnerability has been discovered by  
Kishor (at) varutra (dot) com  
  
10. REVISION HISTORY  
-------------------------  
November 11, 2013: Initial release  
February 05, 2014: New update  
  
11. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.  
  
12. ABOUT  
-------------------------  
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile application and network infrastructure.  
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk.   
  
13. FOLLOW US  
-------------------------  
You can follow Varutra Consulting, news and security advisories at:  
  
http://varutra.com/news.php  
https://www.facebook.com/pages/Varutra-Consulting/136105459900291  
https://www.linkedin.com/company/varutra-consulting  
`