# Vulnerability Title: Secondary Email Addition & Deletion Via Click
Jacking in Linkedin
# Website Link: [Tried on Indian version]
# Found on: 06/08/2012
# Author: Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 07/08/2012
# Status: Fixed
# Patched On: 10/09/2012
# Public Release: 15/09/2012
I have found Click Jacking & Open Url Redirection vulnerabilities on Linkedin Website on 6th and 7th August 2012.
Summary
A Clickjacking vulnerability existed on Linkedin that
allowed an attacker to add or delete a secondary email and can also make existing secondary email as primary email by redressing the manage email page.
Details
Linkedin manage email page (a total of 1 page) was lacking
X-FRAME-OPTIONS in Headers and Frame-busting javascript measures to prevent
framing of the pages. So the manage email page could be redressed
to 'click-jack' Linkedin users. Below I have mentioned the vulnerable
Url and also attached the Proof of concept screenshots.
1. Click Jacking Vulnerable Url:
https://www.linkedin.com/
Click Jacking Vulnerability POC Screenshots:
The redressed editor page with frame opacity set to 0 so it is invisible
to the user. As the user drags the computer into the trash-bin and clicks the
Go button, a new secondary email will be added into the Linkedin user's
account.
With the frames opacity set to 0.5 you can clearly see the redressed page and
all the background. The computer is actually a text area that
contains the attacker's email address which is selected by default with the computer image(Using JavaScript), once the Linkedin user drags the computer he will actually
drag the attackers email address into the add secondary email address area and when he
will click the go button, the Linkedin user will actually click the redressed add email address
button and the attackers email will be successfully added in the Linkedin users account.
Secondary email added successfully into the Linkedin users account.
No X-Frame-Options in servers response header.
Linkedin addressed the vulnerability by adding X-FRAME-OPTIONS in header
field which is set to SAMEORIGIN on this page.
# Vulnerability Title: Open Url
Redirection in Linkedin
# Website Link: [Tried on Indian version]
# Found on: 05/08/2012
# Author: Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 06/08/2012
# Status: Fixed
# Patched On: 07/09/2012
# Public Release: 15/09/2012
Summary
Open Url
Redirection using which an attacker can redirect any Linkedin user to
any
malicious website. Below I have mentioned the vulnerable
Url and also attached the Proof of concept video.
Original Open Url
Redirection Vulnerable Url:
https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/https%3A%2F%2Fhelp.linkedin.com%2Fapp%2Fhome%2Fh%2Fc%2Ffrom_auth%2Ftrue
Crafted Open Url
Redirection Vulnerable Url:
https://help.linkedin.com/app/
Open Url
Redirection Vulnerability POC Video:
Impact of Vulnerability:
The user may be
redirected to an untrusted page that contains malware which may then
compromise the user's machine. This will expose the user to extensive
risk and the user's interaction with the web server may also be
compromised if the malware conducts keylogging or other attacks that
steal credentials, personally identifiable information (PII), or other
important data.
The user may be subjected to phishing
attacks by being redirected to an untrusted page. The phishing attack
may point to an attacker controlled web page that appears to be a
trusted web site. The phishers may then steal the user's credentials and
then use these credentials to access the legitimate web site.
Special Thanks to AMol NAik, Sandeep Kamble and all G4H members :)
No comments:
Post a Comment