LinkedIn has patched a number of exploitable vulnerabilities that could have led to phishing attacks, malware infections and the loss of credentials for users of the social network for business professionals.
Researchers at Internet Security Auditors in Spain reported the vulnerabilities to LinkedIn on two occasions, in January and again in March. A number of cross-site request forgery and cross-site scripting vulnerabilities were discovered on the LinkedIn Investors page as well as in the Add Connection feature on the popular website.
LinkedIn released fixes for both this month, the researchers said. A LinkedIn representative confirmed to Threatpost that the vulnerability on the Add Connection page was fixed within 48 hours of being reported, while the bug on the Investors page, which is hosted by a third party, was patched by that vendor and confirmed as fixed by LinkedIn.
Less than a year ago, security practices on the LinkedIn site were called into question when 6.5 million passwords were leaked. This was preceded by news that the service’s app for iOS devices was transmitting passwords and calendar entries back to LinkedIn servers. Earlier this month, a class-action lawsuit stemming from the password leak was dismissed by a Northern California district judge.
The vulnerabilities disclosed today were typical web flaws afflicting many websites; given LinkedIn’s network of upwards of 200 million users, the risks were elevated.
Researcher Eduardo Garcia Melia said he discovered multiple reflected cross-site scripting (XSS) vulnerabilities on the LinkedIn investors webpage that would all would allow an attacker to inject malicious HTML or script onto the page.
“This flaw can be used by a malicious user to send phishing to the LinkedIn customers, abusing the users’ trust on the LinkedIn portal, tricking the user,” Melia told Threatpost via email. “Also, an attacker could perform phishing attacks and inject HTML or script code in the context of victim’s browser, so they can perform XSS attacks, and steal cookies of a targeted user.”
The malicious actions could forward a user to a page controlled by the attacker, a cloned version of LinkedIn, for example, where the user would be asked to re-enter their credentials, or to a site hosting additional malware.
Melia provided Javascript samples that could be used to exploit the vulnerabilities. An error response, he said, included a note that LinkedIn security had identified the XSS vulnerability in May 2010, but had not repaired it until now.
“The LinkedIn team has corrected [the] vulnerabilities,” Melia said. “Although now when I try to exploit this problem, [it] gives a HTTP 500 error uncontrolled. They could have corrected [it] better.”
Melia’s colleague Vincente Aguilera Diaz reported a number of cross site request forgery vulnerabilities in January that were found in the Send Invitation request that is part of the Add Connections feature on the site, one of the site’s more useful and popular features.
Diaz said the token used to authenticate a user is the session cookie, which is sent automatically by the browser in every request.
“The user does not decide, for each request, whether to send cookies. It is the user’s browser who sends cookies automatically and transparently each time the user visits a site,” Diaz told Threatpost. “A malicious user can force the user’s browser to make a request on the web application, so the application has no more data to discern if the application comes from the legitimate user or from the malicious user, so it considers that the request has been performed by the legitimate user.”
This would be an especially dangerous vulnerability on an online banking application, where an attacker could impersonate a legitimate user and execute transactions as the user, emptying the account most likely. In the case of LinkedIn, an attacker could add connections without the user’s knowledge.
“In this way, you may have access to private information published by these users (you could not access to this information if they were not linked),” he said. “For example, you could create a page that had malicious code that exploits the CSRF and post a link to this page on LinkedIn groups that have many users (hundreds of thousands of users). Users who read this post in the group will be authenticated in LinkedIn, so the exploit will have success and these users will add to the malicious user’s contact network.”
The vulnerability can be exploited because the Send Invitation feature accepts both GET and POST HTML requests.
“Really, the problem exists regardless of whether the request is made by the GET or POST method. Allowing the request to be made via the GET method simply facilitates the exploitation of the vulnerability,” Diaz said. “For example, if you allow the GET method, the malicious user can base his attack on a simple URL (you can post on a forum, email, etc..). If it only allowed the POST method, then the malicious user cannot create a URL with the payload to work independently, but must make an intermediate step. For example, create a page that contains a malicious form with the parameters expected by the request and provide the victim a URL to the form.”
This article was updated to include comments from LinkedIn.