LinkedIN – Vulnerability in the authentication process and related risks

A serious vulnerability has been found in the authentication process of the popular network LinkedIN, the news published on the Spanish blog of the security expert Fernando A. Lagos Berardi. The article published reports that a vulnerability in LinkedIn allows obtaining user’s password.

For the authentication process LinkedIn adopts a token in login phase that can be used several times with different usernames and also using the same IP address. This behavior let suggest that the token is not verified after the first login, exposing the authentication process to brute force attack.

This attack is possible due to an error in validating of the security token (CSRF token) that allows to the attacker to send an unlimited number of requests using the same token for different users. The only secure mechanism implemented against the attack is a Captcha challenge-response test after a dozens of attempts.

The author of the article has proven the existence of the vulnerability following the procedure:


First of all is necessary to retrieve a valid token during a successfully authentication to the LinkedIn platform, that is possible intercepting the POST request made and in particular the field “sourceAlias” and “csrfToken”. Login into your LinkedIn account and capture the “sourceAlias” and “csrfToken” variable (example: sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)



Let’s note that it is not necessary to send these values ​​using POST request methods, it is possible to write a script to send login request using GET methods validating the answer and checking the password.

To try the procedure let’s use the Token to login into another account: ()

where session_key is the username and session_password is the password.

Consider that the password (session_password) is not correct if the requested URL returns “The email address or password you provided does not match our records“, else the password if correct.

The script developed reads an input text file usable as dictionary to perform the attack.
The author of the attack have created a specific account using the email “” and for the hack has used a dictionary containing the following words:


The hack successfully excecuted finding the correct password contained in the dictionary file. Following command for the script execution:


For reasons of time I had no way to prove the script that has been also proposed on the popular security site

Demonstrated the vulnerability has to wonder what the real risks for the victims. On more than one occasion we discussed the possibility of carrying out intelligence operations across all major platforms for social networks.

Any vulnerability in this type of systems exposes users to risks of identity theft, a hacker could collect information about the victim using its profile for other purposes and attacks. In fact, using social engineering techniques on similar platforms with a “stolen” account an attacker can retrieve sensible information related any user.

In the specific case the aggravating is that the popular network is mainly used for the construction of networks of professionals, including agents of many Governments.

Pierluigi Paganini


Fernando A. Lagos Berardi, Seguridad Informatica
Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.