This security company has found an CSRF vulnerability in LinkedIn and they have uploaded an POC on Youtube to show the impact.
The Cross Site Request Forgery attack allows the attacker to access information from an contact without the consent/knowledge of the affected user.
Step 1: visit LinkedIn.com
Sign in with the profile you wish to use.
Step 2: click add connections.
Step 3: Any e-mail
Step 4: Use an proxy like WebScarab.
Step 5: Delete parameters that are not used/validated:
step 7:
Step 8:
Step 9:
Vulnerability: CSRF Vulnerability in LinkedIn
Score: 4.3/10 (CVSSv2 Base Score)
Business impact: A malicious user can access to the information they share users that have been added to her contacts without his consent/knowledge.
Systema affected: LinkedIn Service
Credits: Vicente Aguilera Díaz
The Cross Site Request Forgery attack allows the attacker to access information from an contact without the consent/knowledge of the affected user.
Step 1: visit LinkedIn.com
Sign in with the profile you wish to use.
Step 2: click add connections.
Step 3: Any e-mail
Step 4: Use an proxy like WebScarab.
Step 5: Delete parameters that are not used/validated:
- csrfToken
- sourceAlias
step 7:
Step 8:
Step 9:
Vulnerability: CSRF Vulnerability in LinkedIn
Score: 4.3/10 (CVSSv2 Base Score)
Business impact: A malicious user can access to the information they share users that have been added to her contacts without his consent/knowledge.
Systema affected: LinkedIn Service
Credits: Vicente Aguilera Díaz
No comments:
Post a Comment