Posts Tagged ‘CSRF’

This vulnerability was found on 31-10-2013 and LinkedIn addressed the issue within hours after reporting. Again they were quick like the last time to respond to vulnerability reports!

The reason why I use the word “Targetted” is because the CSRF only works on targeted victim and the link for creating the CSRF varies from user to user. This vulnerability unlike traditional vulnerability requires attacker to obtain a parameter value of the victim (UID) to create the malicious CSRF link.

Here is the PoC:

1> Create a link like: https://www.linkedin.com/mfeed?hide=&uid=5801xxxxxxxxxx&pk=uscp-home&goback=%2Enmp_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1&trk=delete-my
2> Select your targeted victim + the update/post which you need to delete.
3> “LIKE” the post to obtain the value for UID parameter.
4> Visit victims profile and under updates, see the update/post which you “LIKE(d)”.
5> Hover the mouse over the victim’s name under the same update/post , capture the UID parameters value. [Hover and hold the mouse pointer on the name for a while till you see the tool-tip].
6> Now reconstruct the above link with the given UID’s value and send to the victim to get the vulnerability work.
7> Now forward the link to the victim, after clicking the link, the victim’s update will get deleted.

This vulnerability has now been fixed by adding a unique anti-CSRF token for deleting the post/Update.