The Story Behind LinkedIn Security Flaw - December/2017
Before i start , i have to thank Tom Warren from the @verge .. keep reading reading to know why ..
Last month on November 20 i found a vulnerability in Linkedin which is PHP Injection due to bad filter.
The vulnerability exists in the endpoint : https://www.linkedin.com/voyager/api/feed/shares?action=create which is the scope of creating new post. With a modified value of the variable : url - The "url" variable is the SRC attribute of the uploaded image. Modify "url" value to remote PHP file hosted outside linkedin.
That so attacker can get user's details soon as the image will be clicked.
Two days after on Nov 22, i escalated the vulnreability to steal linkedin users credentials by using WWW-Authenticate , so i pinged Sanjay telling him about the what i'm capable of.
On Nov 25, i received a negative response from Sanjay, saying :
Thanks for reaching out to us. After careful consideration of your report, we believe this does not represent security vulnerability as it requires explicit user interaction.
It is similar to someone sending phishing email. Alternatively, each of the LinkedIn member can request any post to be marked as spam via using “Report this post” feature.
That being said, if you could find a way to automatically trigger code execution on user’s browser, please write to us and we will investigate your report.
I really was shocked for that reply, so i put prospect that he needs a better proof of concept in order to demonstrate it, so i replied with this :
To demonstrate this exploit follow my previous report then check the LinkedIn post from internet explorer on PC (and there is many other browsers) . also check it from chrome browser app on mobile (latest version) (and there is many other browsers).
Three weeks explaining with POC videos and images without it being accepted as security risk i felt frustrated, That so i planned to move on to media part. So i contacted Tom from the Verge, after i explained the exact security risk behind this vulnerability, he first asked to test on MAC, so i sent him this video : https://youtu.be/zIj8pBiMlWo
after that he tested on Microsoft Edge. soon after he pinged high level employees at Microsoft and Linkedin.
Soo after that i received an email from Sanjay saying:
We have confirmed that this issue has now been resolved. Please test it at your end and let us know if your results vary.
We appreciate your efforts to notify us about this issue and want to thank you for helping us to protect LinkedIn members.
Strange right!! i told Tom that its "Media Power" XD.