Pages

Showing posts with label Technology. Show all posts
Showing posts with label Technology. Show all posts

Happy 25th Birthday to the World Wide Web!

Happy 25th Birthday to the World Wide Web!

  Today is the web’s 25th birthday. On March 12, 1989, I distributed a proposal to improve information flows: “a ‘web’ of notes with links between them.”
Though CERN, as a physics lab, couldn’t justify such a general software project, my boss Mike Sendall allowed me to work on it on the side. In 1990, I wrote the first browser and editor. In 1993, after much urging, CERN declared that WWW technology would be available to all, without paying royalties, forever.

                               The first web server, used by Tim Berners-Lee. Photo via Wikipedia
This decision enabled tens of thousands to start working together to build the web. Now, about 40 percent of usare connected and creating online. The web has generated trillions of dollars of economic value, transformededucation and healthcare and activated many new movements for democracy around the world. And we’re just getting started.

How has this happened? By design, the underlying Internet and the WWW are non-hierarchical, decentralized and radically open. The web can be made to work with any type of information, on any device, with any software, in any language. You can link to any piece of information. You don’t need to ask for permission. What you create is limited only by your imagination.

So today is a day to celebrate. But it’s also an occasion to think, discuss—and do. Key decisions on the governance and future of the Internet are looming, and it’s vital for all of us to speak up for the web’s future. How can we ensure that the other 60 percent around the world who are not connected get online fast? How can we make sure that the web supports all languages and cultures, not just the dominant ones? How do we build consensus around open standards to link the coming Internet of Things? Will we allow others to package and restrict our online experience, or will we protect the magic of the open web and the power it gives us to say, discover, and create anything? How can we build systems of checks and balances to hold the groups that can spy on the net accountable to the public? These are some of my questions—what are yours?

On the 25th birthday of the web, I ask you to join in—to help us imagine and build the future standards for the web, and to press for every country to develop a digital bill of rights to advance a free and open web for everyone. Learn more at webat25.org and speak up for the sort of web we really want with #web25. 

LinkedIn Authorization Bypass Vulnerability To Send Messages

Overview:
In this following test, I wanted to see whether I was able to view personal details of some other person who was not in my connection list on LinkedIn. By default, LinkedIn doesn’t allow you to view the contact details of the person who is not in your connections list. Let us dig deeper to find out whether it is really possible.

Technical Details:
1)      A user logs in to his LinkedIn Account and visits the profile of another user (in this case I chose target my connection Manas Deep) who was not in my connection list. From the below figure, it is evident that I was initially not able to view the contact details of my target connection Manas Deep.

Authorization Bypass vulnerability in LinkedIn

Figure 1: User visits any anonymous account

2)      Now, I visited my Connections tab and on clicking on my friend Abnawe Rajendra, I’m able to view the contact details of Rajendra Abnawe since he is in my Connections list.

Authorization Bypass vulnerability in LinkedIn

Figure 2: View details of Rajendra

3)      Observing the entire request by capturing it via Burp Suite proxy, I found out that when I clicked on a user connection, the browser actually sends a request to the application containing the member ID of his connection. Now, I modified the request by replacing the parameter of member id (retrieved from URL in Figure 1) with that of Manas Deep (who was not in my connections list) and sent it to the application.

Authorization Bypass vulnerability in LinkedIn

4)      To my surprise, I was now able to see the complete contact details of Manas Deep. Here is the screenshot of the same as below.

Authorization Bypass vulnerability in LinkedIn

Figure 3: View Details of un-friended user

5)      Encouraged by this finding, I tried to leverage this attack by clicking on ‘Send Message’ to try sending a mail to Manas Deep. In ideal case, I should not be able to do that since by default the LinkedIn application restricts sending mails to users who are not in our connection list. The ‘Send message’ option is available through the ‘Compose Message’ module in the ‘Inbox’ tab.

Authorization Bypass vulnerability in LinkedIn

Figure 4: Mail sent successfully to Manasdeep

As evident from the screenshot above, I was able to successfully send the mail to Manas Deep even when he was not in my connection list. I did that by just replacing the Member ID with his Member ID.

Thus, in a similar fashion, an attacker can enumerate all its targeted Member IDs and collect their personal details. He can then leverage this to even send emails to all these users without adding them to the friends list.

Status:
Within 48 hrs of reporting this vulnerability on LinkedIn, their security team got in touch with me and addressed the vulnerability promptly. I appreciate the agility and quick action taken by of the LinkedIn team to protect the privacy of its clients.