Saturday, September 15, 2012

Linkedin's Clickjacking & Open Url Redirection Vulnerabilities


# Vulnerability Title: Secondary Email Addition & Deletion Via Click Jacking in Linkedin
# Website Link:  [Tried on Indian version]
# Found on: 06/08/2012
# Author:  Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 07/08/2012
# Status: Fixed
# Patched On: 10/09/2012
# Public Release: 15/09/2012



I have found Click Jacking & Open Url Redirection vulnerabilities on Linkedin Website on 6th and 7th August 2012.



Summary

A Clickjacking vulnerability existed on Linkedin that allowed an attacker to add or delete a secondary email and can also make existing secondary email as primary email by redressing the manage email page.


Details

Linkedin manage email page (a total of 1 page) was lacking X-FRAME-OPTIONS in Headers and Frame-busting javascript  measures to prevent framing of the pages. So the manage email page could be redressed to 'click-jack' Linkedin users. Below I have mentioned the vulnerable Url and also attached the Proof of concept screenshots.


1. Click Jacking Vulnerable Url:
https://www.linkedin.com/settings/manage-email?goback=.nas_*1_*1_*1


Click Jacking Vulnerability POC Screenshots:


The redressed editor page with frame opacity set to 0 so it is invisible to the user. As the user drags the computer into the trash-bin and clicks the Go button, a new secondary email will be added into the Linkedin user's account.



With the frames opacity set to 0.5 you can clearly see the redressed page and all the background. The computer is actually a text area that contains the attacker's email address which is selected by default with the computer image(Using JavaScript), once the Linkedin user drags the computer he will actually drag the attackers email address into the add secondary email address area and when he will click the go button, the Linkedin user will actually click the redressed add email address button and the attackers email will be successfully added in the Linkedin users account.




Secondary email added successfully into the Linkedin users account.




No X-Frame-Options in servers response header.



Linkedin addressed the vulnerability by adding X-FRAME-OPTIONS in header field which is set to SAMEORIGIN on this page.




# Vulnerability Title: Open Url Redirection in Linkedin
# Website Link:  [Tried on Indian version]
# Found on: 05/08/2012
# Author:  Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 06/08/2012
# Status: Fixed
# Patched On: 07/09/2012
# Public Release: 15/09/2012



Summary

Open Url Redirection using which an attacker can redirect any Linkedin user to any malicious website. Below I have mentioned the vulnerable Url and also attached the Proof of concept video.


Original Open Url Redirection Vulnerable Url:




Crafted Open Url Redirection Vulnerable Url:
https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/http%3A%2F%2Fattacker.in





Open Url Redirection Vulnerability POC Video:

 


Impact of Vulnerability:

The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.

The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site.


Special Thanks to AMol NAik, Sandeep Kamble and all G4H members :)

1 comment:

  1. Superb writing about linked! Thanks for sharing with your audience!

    ReplyDelete

You Have Successfully Posted the Message.