Summary:
LinkedIn has a feature called Project wherein you can add project members from your connections. We were able to discover a way to view a LinkedIn member’s project even if he/she is not one of our connections. We were also able to create a new project and add other LinkedIn members to it without their approval. We were able to achieve this by playing around with some HTTP request parameters.
Technical Details
Vulnerability
A malicious user can create a fictitious project say ‘OWASP’ and add any other user of his choice to this project. This way the malicious actor can add famous people to his LinkedIn project and gain popularity.
Proof of Concept:
- Created one new user with no linked connections.
- Add a new project and when choosing member, you are allowed to choose a member from his own connection. Here we were able to add any linked member to the project just by knowing the member’s profile id which is easy to retrieve.
Status
Both the issues were immediately addressed by LinkedIn and have been fixed. I really appreciate the way the LinkedIn team responded to this issue. The issues got fixed in just a week’s time. Wow!!!!
Sunil Yadav is a Team Lead Security Assessment at Network Intelligence India. He has performed Security Audits, Penetration Test, Source Code Review, Threat Modeling, Social engineering, Reverse Engineering and Ethical Hacking Trainings etc. for some of NII’s premier customers. He has consistently impressed clients with his ability to think out of the box, and creatively attack systems and applications. He is well-versed with the OWASP, WASC and SDL like methodologies.