PDA

View Full Version : LinkedIn Mobile Apps Bad Security Architecture: A Case Study



nishant
04-12-2012, 02:45 PM
Breaking News: 1990's programming mistakes repeated in 2012.


Introduction

Well the title of the post is self explanatory. It is really sad to see the obvious programming mistakes of the 90's are being repeated, by industry giants like LinkedIn, in 2012 when we have so much documented guidelines for secure programming. Do we still call this lack of awareness?


Responsible Disclosure Timeline

Vendor Notified: 25th November 2011
Vendor Response: 28th November 2011
Conclusion: Not fixed till today (11 April 2012). No further communication from either side.

Details

Device Model: iPhone 4S
Platform: Apple’s iOS 5.0
LinkedIn App Version: <= 4.3.3 (05 April 2012)
Note: All LinkedIn apps or sites based on touch.World's Largest Professional Network | LinkedIn (http://www.linkedin.com) are probably vulnerable.



1. Session cookie transported over HTTP

Severity: Medium

Description: Session cookie “lim_auth” is transported over HTTP in clear text. This is the only authentication parameter for LinkedIn (http://touch.www.linkedin.com) services. It is highly susceptible to be sniffed, by an attacker, with a network packet capture tool like Wireshark.


2. Session cookie doesn’t expire

Severity: High

Description: The session cookie “lim_auth” doesn’t expire for a "long" i.e. until the user logs out of the mobile app and just to remind you I never log out of my mobile apps because that would mean no push notification and the annoyance of re-logging every time on a small keypad, which implies that once an attacker has successfully gain access to a user’s valid session he can use it for over a long period of time until the user has not “Singed Out” of the LinkedIn mobile application. An attacker may write an AJAX based custom frontend to easily leverage the JSON based services of LinkedIn (http://touch.www.linkedin.com). The attacker can, then, route his service calls through a desktop proxy server that supports URL Rewrite feature, where it can append headers to the HTTP requests made to the LinkedIn (http://touch.www.linkedin.com) can easily access the services. I have also implemented this scenario for my testing using Charles Web Debugging Proxy.


3. CSRF on “Status Share” Feature

Severity: Critical

Description: The below HTTP POST request is made whenever the user tries to “Share Status” from the LinkedIn mobile app. Since there is no token/crumb bound to this request the attacker can submit this request as many times as he wants to successfully post arbitrary messages to the vitcim’s LinkedIn profile without his knowledge.



POST /li/v1/updates HTTP/1.1
Host: touch.www.linkedin.com
User-Agent: iphone3_1
Accept: application/json
X-UDID: xxx3ac8b568xxxxx1ab238531xxxxx18b0axxxx
X-System-Version: 5.0
X-System-Name: iPhone OS
X-Device-Model: iPhone
Cookie: lim_auth=60d3xxxx-10xx-xxd1-bxxd-xxxa3df4bxxx
X-LI-Track: {"clientVersion":"4.0.3","sessionId":"1326235830768","carrier":"Vodafone India","osVersion":"5.0","locale":"en_US","osName":"iPhone OS","language":"en","model":"iphone4_1"}
X-App-Version: 4.0.3
X-User-Language: en
X-User-Locale: en_US Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

twitter=false&nc=1326235830768&comment=%21%21%21&visibility=connections



4. CSRF on “New Message” Feature

Severity: Critical

Description: The below HTTP POST request is made whenever the user tries to send a “New Message” to any of his/her connections from the LinkedIn mobile app. Since there is no token/crumb bound to this request the attacker can submit this request as many times as he wants to successfully send arbitrary and potentially abusive messages to the vitcim’s connections or may use to do Social Engineering.



POST /li/v1/messages HTTP/1.1
Host: touch.www.linkedin.com
User-Agent: iphone3_1
Content-Length: 60
Accept: application/json
X-UDID: xxx3ac8b568xxxxx1ab238531xxxxx18b0axxxx
X-System-Version: 5.0
X-System-Name: iPhone OS X-Device-Model: iPhone
Cookie: lim_auth=60d3xxxx-10xx-xxd1-bxxd-xxxa3df4bxxx
X-LI-Track: {"clientVersion":"4.0.3","sessionId":"1326661672150","carrier":"Vodafone India","osVersion":"5.0","locale":"en_US","osName":"iPhone OS","language":"en","model":"iphone4_1"}
X-App-Version: 4.0.3
X-User-Language: en
X-User-Locale: en_US
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive


type=msg&subject=Hello&to=27565348&body=Hii&nc=1326661672150



5. CSRF on “New Discussion” in Groups Feature

Severity: Critical

Description: The below HTTP POST request is made whenever the user tries to start a “New Discussion” in a Group he is already associated with from the LinkedIn mobile app. Since there is no token/crumb bound to this request the attacker can submit this request as many times as he wants to successfully



POST /li/v1/groups/1772050/posts HTTP/1.1
Host: touch.www.linkedin.com
User-Agent: iphone3_1
Content-Length: 36
Accept: application/json
X-UDID: xxx3ac8b568xxxxx1ab238531xxxxx18b0axxxx
X-System-Version: 5.0
X-System-Name: iPhone OS X-Device-Model: iPhone
Cookie: lim_auth=60d3xxxx-10xx-xxd1-bxxd-xxxa3df4bxxx
X-LI-Track: {"clientVersion":"4.0.3","sessionId":"1326661672150","carrier":"Vodafone India","osVersion":"5.0","locale":"en_US","osName":"iPhone OS","language":"en","model":"iphone4_1"}
X-App-Version: 4.0.3
X-User-Language: en
X-User-Locale: en_US
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive


summary=..&title=..&nc=1326661672150



6. CSRF on “Send/Accept” in Invitations

Severity: Critical

Description: Similar to above explained exploits.

Do share your concerns/thoughts through the posts below.

Anant Shrivastava
04-13-2012, 01:48 PM
did you tried

twitter=true

to see if updates floats to twitter to (in case its linked)

also did you tried checking the android app.
I will download and check if android app also has simmilar flaw.

nishant
05-04-2012, 11:38 AM
did you tried

twitter=true

to see if updates floats to twitter to (in case its linked)

also did you tried checking the android app.
I will download and check if android app also has simmilar flaw.



Hi Anant,

Sorry for such a late reply. Yes, the twitter options shares the content on twitter, however, it has to be granted access by the user, though.

Next, as I said, LinkedIn mobile apps are 95% HTML5 -> a mobile website wrapped in a thin native client. And all its mobile apps use the www.touch.linkedin.com as the webservice endpoint which just implies all are vulnerable. Having that said, they released their 1st iPad client 1-2 days back, which at first look seems to be slight differently. I have installed it, will check ASAP and write my findings here.

satishb3
12-05-2012, 07:03 AM
hmmm nice. In addition to that, logout rellay does not expire the session cookies. It just removes from the phone. So if we grab old cookie file, we can log into linkedin. I have reported this to Linkedin 6 months ago. Complete details are @ - LinkedIn iPhone app does not expire session on logout (http://www.securitylearn.net/2012/08/04/linkedin-iphone-application-session-expiration-vulnerability/)