LinkedIn Fixes Clickjacking Vulnerability in “Remove Connections” Section

Security researcher Jovyn Lobo was the one to report the flaw

By on January 17th, 2013 23:01 GMT

LinkedIn has addressed a clickjacking vulnerability in the “remove connections” section of the website. The security hole was discovered by Jovyn Lobo (7h3_j0k3r), a security consultant at Payatu Technologies and the author of the “game | over” web app penetration testing platform.

According to the expert, an attacker could have leveraged the flaw to trick LinkedIn customers into removing some of their existing connections without realizing.

Victims of such an attack would be tricked into thinking that they were clicking on innocent links or buttons, when in reality they would be unwittingly deleting their connections.

The vulnerability was reported to LinkedIn in September 2012, but the company only addressed the issue on January 11, 2013.

The expert says the social media site implemented the X-Frame-Options header to fix the security hole. For more details, check out the POC video published by Lobo.

1 Comment