#LinkedIn Cross Site Request Forgery #CSRF


=============================================
Varutra Consulting Responsible Vulnerability Disclosure
- Vulnerability release date: November 20th, 2013
- Last revised:  May 4th, 2014
- Discovered by: Kishor Sonawane, Varutra Consulting
=============================================

1. VULNERABILITY
-------------------------
CSRF vulnerability in LinkedIn allowing remote attacker to delete any user’s recommendations

2. BACKGROUND
-------------------------
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn

LinkedIn has already hit the 300 million users mark in 2014.  

3. DESCRIPTION
-------------------------
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. 

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

LinkedIn is vulnerable to CSRF attacks in the "one of the most important “Recommendations" functionality. LinkedIn allows rather facilitates a user to check recommendations given to other users. It will be shown as Recommendations for ‘UserName’     

An attacker can craft a request to delete the received recommendations and send it to the victim user.  The can be carried out with simply GET method. Attacker does not need a separate medium to send the malicious CSRF request but can use the LinkedIn mail feature only.  

4. PROOF OF CONCEPT
-------------------------------

An attacker can view his/her own recommendations and collect the following URL. 

Here is a typical request to delete a recommendation for a logged in user. 

https://www.linkedin.com/recommendations?wdr=&recID=123456789&goback=%2Enas_*1_*1_*1%2Eprs
The recID is a unique request Id generated by LinkedIn for each of the recommendation a user receives. 

In a simplest form the request will be

https://www.linkedin.com/recommendations?wdr=&recID=123456789 

This request Id can be obtained by web page source while viewing victim user’s recommendation. 

Steps to conduct the attack. 
I. Attacker visits victim uses LinkedIn account and view the recommendations received. 
II. Attacker goes to the page source on his own browser and gets the victim user’s recommendations request Id. 
III. Attacker craft the malicious CSRF request and sends it to the victim thorough LinkedIn mail
IV. On clicking the link victim’s recommendation will be withdrawn / deleted. 



5. BUSINESS IMPACT
-------------------------
An attacker can withdraw / delete any user’s any recommendation.

6. SYSTEMS AFFECTED
-------------------------
LinkedIn service

7. SOLUTION
-------------------------
Resolved by LinkedIn 

8. REFERENCES
-------------------------
http://www.linkedin.com
http://www.varutra.com

9. CREDITS
-------------------------
This vulnerability has been discovered by
Kishor (at) varutra (dot) com

10. REVISION HISTORY
-------------------------
November 20, 2013: Initial release
May 04, 2014: New update

11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.

12. ABOUT
-------------------------
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile devices and network.
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk. 

13. FOLLOW US
-------------------------
You can follow Varutra Consulting, news and security advisories at:

http://varutra.com/news.php
https://www.facebook.com/pages/Varutra-Consulting/136105459900291




source