Pierluigi Paganini May 22, 2012

A serious vulnerability has been found in the authentication process of the popular network LinkedIN, the news published on the Spanish blog of the security expert Fernando A. Lagos Berardi. The article published reports that a vulnerability in LinkedIn allows obtaining user’s password.

For the authentication process LinkedIn adopts a token in login phase that can be used several times with different usernames and also using the same IP address. This behavior let suggest that the token is not verified after the first login, exposing the authentication process to brute force attack.

This attack is possible due to an error in validating of the security token (CSRF token) that allows to the attacker to send an unlimited number of requests using the same token for different users. The only secure mechanism implemented against the attack is a Captcha challenge-response test after a dozens of attempts.

The author of the article has proven the existence of the vulnerability following the procedure:

Step.1

First of all is necessary to retrieve a valid token during a successfully authentication to the LinkedIn platform, that is possible intercepting the POST request made and in particular the field “sourceAlias” and “csrfToken”. Login into your LinkedIn account and capture the “sourceAlias” and “csrfToken” variable (example: sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)

Step.2

Let’s note that it is not necessary to send these values ​​using POST request methods, it is possible to write a script to send login request using GET methods validating the answer and checking the password.

To try the procedure let’s use the Token to login into another account:

https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody () somedomain.com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless

where session_key is the username and session_password is the password.

Consider that the password (session_password) is not correct if the requested URL returns “The email address or password you provided does not match our records“, else the password if correct.

The script developed reads an input text file usable as dictionary to perform the attack.
The author of the attack have created a specific account using the email “panic@zerial.org” and for the hack has used a dictionary containing the following words:

asdfgh
zxcvbnm
1,234,567
0987654
12345698
456_4567
123456qwert
123456qwerty
12345qwei
112233

The hack successfully excecuted finding the correct password contained in the dictionary file. Following command for the script execution:

For reasons of time I had no way to prove the script that has been also proposed on the popular security site Seclists.org.

Demonstrated the vulnerability has to wonder what the real risks for the victims. On more than one occasion we discussed the possibility of carrying out intelligence operations across all major platforms for social networks.

Any vulnerability in this type of systems exposes users to risks of identity theft, a hacker could collect information about the victim using its profile for other purposes and attacks. In fact, using social engineering techniques on similar platforms with a “stolen” account an attacker can retrieve sensible information related any user.

In the specific case the aggravating is that the popular network is mainly used for the construction of networks of professionals, including agents of many Governments.

Pierluigi Paganini

References

Fernando A. Lagos Berardi, Seguridad Informatica
Blog: http://blog.zerial.org/seguridad/vulnerabilidad-en-linkedin-permite-obtencion-de-contrasenas/