14 DAY TRIAL // Security researchers from Internet Security Auditors, a firm based in Spain, have identified several web vulnerabilities in LinkedIn. Since LinkedIn has patched the issues, the experts have decided to make their findings public.
The first vulnerability, a Cross-site request forgery (CSRF), was identified in January by Vicente Aguilera Diaz. The security hole plagued the “Add Connections” feature of the LinkedIn site, specifically the “Send Invitation” request.
“The user does not decide, for each request, whether to send cookies. It is the user's browser who sends cookies automatically and transparently each time the user visits a site,” Diaz told ThreatPost.
“A malicious user can force the user's browser to make a request on the web application, so the application has no more data to discern if the application comes from the legitimate user or from the malicious user, so it considers that the request has been performed by the legitimate user,” Diaz added.
The expert explained that an attacker could gain access to the private information of LinkedIn users by exploiting the vulnerability.
“For example, you could create a page that had malicious code that exploits the CSRF and post a link to this page on LinkedIn groups that have many users (hundreds of thousands of users). Users who read this post in the group will be authenticated in LinkedIn, so the exploit will have success and these users will add to the malicious user's contact network.”
Diaz’s colleague, Eduardo Garcia Melia, identified a total of four reflected cross-site scripting (XSS) vulnerabilities and reported them to LinkedIn at the beginning of March.
“This flaw can be used by a malicious user to send phishing to the LinkedIn customers, abusing the users’ trust on the LinkedIn portal, tricking the user. Also, an attacker could perform phishing attacks and inject HTML or script code in the context of victim's browser, so they can perform XSS attacks, and steal cookies of a targeted user,” Melia told ThreatPost.
The technical details of these vulnerabilities are available here and here.