LinkedIn Authorization Bypass Vulnerability To Send Messages
Overview:
In this following test, I wanted to see whether I was able to view personal details of some other person who was not in my connection list on LinkedIn. By default, LinkedIn doesn’t allow you to view the contact details of the person who is not in your connections list. Let us dig deeper to find out whether it is really possible.
Technical Details:
1) A user logs in to his LinkedIn Account and visits the profile of another user (in this case I chose target my connection Manas Deep) who was not in my connection list. From the below figure, it is evident that I was initially not able to view the contact details of my target connection Manas Deep.
Figure 1: User visits any anonymous account
2) Now, I visited my Connections tab and on clicking on my friend Abnawe Rajendra, I’m able to view the contact details of Rajendra Abnawe since he is in my Connections list.
Figure 2: View details of Rajendra
3) Observing the entire request by capturing it via Burp Suite proxy, I found out that when I clicked on a user connection, the browser actually sends a request to the application containing the member ID of his connection. Now, I modified the request by replacing the parameter of member id (retrieved from URL in Figure 1) with that of Manas Deep (who was not in my connections list) and sent it to the application.
4) To my surprise, I was now able to see the complete contact details of Manas Deep. Here is the screenshot of the same as below.
Figure 3: View Details of un-friended user
5) Encouraged by this finding, I tried to leverage this attack by clicking on ‘Send Message’ to try sending a mail to Manas Deep. In ideal case, I should not be able to do that since by default the LinkedIn application restricts sending mails to users who are not in our connection list. The ‘Send message’ option is available through the ‘Compose Message’ module in the ‘Inbox’ tab.
Figure 4: Mail sent successfully to Manasdeep
As evident from the screenshot above, I was able to successfully send the mail to Manas Deep even when he was not in my connection list. I did that by just replacing the Member ID with his Member ID.
Thus, in a similar fashion, an attacker can enumerate all its targeted Member IDs and collect their personal details. He can then leverage this to even send emails to all these users without adding them to the friends list.
Status:
Within 48 hrs of reporting this vulnerability on LinkedIn, their security team got in touch with me and addressed the vulnerability promptly. I appreciate the agility and quick action taken by of the LinkedIn team to protect the privacy of its clients.
No comments:
Post a Comment