Linkedin iOS app V 6_1_2 HTML message parsing vulnerability
Pierluigi Paganini
December 09, 2013
LinkedIn iOS app parses HTML in the messages, and this can be used to phish for credentials or be escalated into a full blown attack.
Senior CyberSecurity Specialist Zouheir Abdallah @ZuZ (Twitter handle), has publicly and responsibly disclosed a vulnerability in LinkedIn’s mobile app. Zouheir is known for reporting a serious vulnerability in DropBox’s 2 Factor Authentication back in July 2013.
LinkedIn’s vulnerability lies in the messaging feature of LinkedIn’s mobile app, that parses HTML code, which could have serious impact on
LinkedIn‘s users. A proof of concept was made and submitted to LinkedIn in September 2013 and the App was patched in October 2013. One possible attack vector is using this vulnerability to phish users of LinkedIn’s mobile app.
The details of this attack can be found in the attached
PDF document, below the proof of concept.
Send a message to a user with the following content
Hey, Can you please view my LinkedIn profile and endorse me! Thanks! I appreciate it!
<a href=”InsertPhishingSiteHere.com”>
qa.linkedin.com/in/zouheirabdallah</a>
regards,
The
phishing site can be a replica of LinkedIn and tricks the victim into giving out his username and password.
The
iOS app will display the url without the hyperlink embedded in the HTML a
href , and the receiver of the message will not even know that he is being redirected to a malicious site
. This attack can be used against LinkedIn
too by claiming that LinkedIn requires re-authentication to view some article on LinkedIn. This attack could also work on different devices such as Android and Blackberry, but he couldn’t test as he didn’t have other handsets at hand.
LinkedIn doesn’t have a security bounty neither a Hall Of Fame, nevertheless he received a symbolic token of a shirt, mug, and a thank you note from LinkedIn’s security team.
