fbpx

 

The Story Behind LinkedIn Security Flaw - December/2017

Before i start , i have to thank Tom Warren from the @verge .. keep reading reading to know why .. 

Photo by Carl Court/Getty Images
Last month on November 20 i found a vulnerability in Linkedin  which is PHP Injection due to bad filter. 
The vulnerability exists in the endpoint : https://www.linkedin.com/voyager/api/feed/shares?action=create which is the scope of creating new post. With a modified value of the variable : url - The "url" variable is the SRC attribute of the uploaded image. Modify "url" value to remote PHP file hosted outside linkedin.
That so attacker can get user's details soon as the image will be clicked.
 
 
That was my first report to عنوان البريد الإلكتروني هذا محمي من روبوتات السبام. يجب عليك تفعيل الجافاسكربت لرؤيته., same day a Linkedin employee named 'Sanjay' reply back saying they will investigate it and get a response back to me when they have completed our analysis.
Two days after on Nov 22, i escalated the vulnreability to steal linkedin users credentials by using WWW-Authenticate , so i pinged Sanjay telling him about the what i'm capable of. 
On Nov 25, i received a negative response from Sanjay, saying : 

Hi Khali, 

Thanks for reaching out to us. After careful consideration of your report, we believe this does not represent security vulnerability as it requires explicit user interaction. 

It is similar to someone sending phishing email.  Alternatively, each of the LinkedIn member can request any post to be marked as spam via using “Report this post” feature. 

That being said, if you could find a way to automatically trigger code execution on user’s browser, please write to us and we will investigate your report. 

Regards, 

Sanjay

I really was shocked for that reply, so i put prospect that he needs a better proof of concept in order to demonstrate it, so i replied with this : 

 

To demonstrate this exploit follow my previous report then check the LinkedIn post from internet explorer on PC (and there is many other browsers) . also check it from chrome browser app on mobile (latest version) (and there is many other browsers).

 

anyway here is a POC videos:

 

-POC on PC via internet explorer: 


 

- POC on mobile via chrome (latest version), Dolphin (latest version): 


 

But again Sanjay said that it requires user interaction, they believe this does not represent security vulnerability.
 
We both went in long discussion, you can contiue reading by viewing this email chain PDF file : https://khalil-shreateh.com/khalil.shtml/images/articles/websites/vulnerabilities/LinkedIn-Vulnerability-Report---Email-Chain.pdf
Three weeks explaining with POC videos and images without it being accepted as security risk i felt frustrated, That so i planned to move on to media part. So i contacted Tom from the Verge, after i explained the exact security risk behind this vulnerability, he first asked to test on MAC, so i sent him this video :  https://youtu.be/zIj8pBiMlWo 
after that he tested on Microsoft Edge. soon after he pinged high level employees at Microsoft and Linkedin. 
Soo after that i received an email from Sanjay saying:

Hi Khalil,

We have confirmed that this issue has now been resolved. Please test it at your end and let us know if your results vary. 

We appreciate your efforts to notify us about this issue and want to thank you for helping us to protect LinkedIn members.  

Regards,

Sanjay

Strange right!! i told Tom that its "Media Power" XD.  
 
Here is all POC Videos i provided Sanjay : 
LinkedIn Exploit on Quantum :

 

 

للدعم شارك مع اصدقائك