LinkedIN – Vulnerability in the authentication process and related risks

A serious vulnerability has been found in the authentication process of the popular network LinkedIN, the news published on the Spanish blog of the security expert Fernando A. Lagos Berardi. The article published reports that a vulnerability in LinkedIn allows obtaining user’s password.

For the authentication process LinkedIn adopts a token in login phase that can be used several times with different usernames and also using the same IP address. This behavior let suggest that the token is not verified after the first login, exposing the authentication process to brute force attack.

This attack is possible due to an error in validating of the security token (CSRF token) that allows to the attacker to send an unlimited number of requests using the same token for different users. The only secure mechanism implemented against the attack is a Captcha challenge-response test after a dozens of attempts.

The author of the article has proven the existence of the vulnerability following the procedure:

Step.1

First of all is necessary to retrieve a valid token during a successfully authentication to the LinkedIn platform, that is possible intercepting the POST request made and in particular the field “sourceAlias” and “csrfToken”. Login into your LinkedIn account and capture the “sourceAlias” and “csrfToken” variable (example: sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)

 

Step.2

Let’s note that it is not necessary to send these values ​​using POST request methods, it is possible to write a script to send login request using GET methods validating the answer and checking the password.

To try the procedure let’s use the Token to login into another account:

https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody () somedomain.com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless

where session_key is the username and session_password is the password.

Consider that the password (session_password) is not correct if the requested URL returns “The email address or password you provided does not match our records“, else the password if correct.

The script developed reads an input text file usable as dictionary to perform the attack.
The author of the attack have created a specific account using the email “panic@zerial.org” and for the hack has used a dictionary containing the following words:

asdfgh
zxcvbnm
1,234,567
0987654
12345698
456_4567
123456qwert
123456qwerty
12345qwei
112233

The hack successfully excecuted finding the correct password contained in the dictionary file. Following command for the script execution:

 

For reasons of time I had no way to prove the script that has been also proposed on the popular security site Seclists.org.

Demonstrated the vulnerability has to wonder what the real risks for the victims. On more than one occasion we discussed the possibility of carrying out intelligence operations across all major platforms for social networks.

Any vulnerability in this type of systems exposes users to risks of identity theft, a hacker could collect information about the victim using its profile for other purposes and attacks. In fact, using social engineering techniques on similar platforms with a “stolen” account an attacker can retrieve sensible information related any user.

In the specific case the aggravating is that the popular network is mainly used for the construction of networks of professionals, including agents of many Governments.

Pierluigi Paganini

References

Fernando A. Lagos Berardi, Seguridad Informatica
Blog: http://blog.zerial.org/seguridad/vulnerabilidad-en-linkedin-permite-obtencion-de-contrasenas/
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

7 hours ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

9 hours ago

Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days

Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…

17 hours ago

Fortinet fixed actively exploited FortiVoice zero-day<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…

19 hours ago

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…

1 day ago

Marks and Spencer confirms data breach after April cyber attack

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…

1 day ago