CSRF vulnerability in LinkedIn

BACKGROUND
————————-
LinkedIn is a social networking service and website (www.linkedin.com)
for professionals. The site officially launched on May 5, 2003.  As of September 30, 2012 (the
end of the third quarter), professionals are signing up to join LinkedIn at a rate of approximately
two new members per second.  Actually, Over 175 million professionals use LinkedIn to
exchange information, ideas and opportunities.

DESCRIPTION
————————-
CSRF (Cross-site Request Forgery) is an attack which forces an end user
to execute unwanted actions on a web application in which he/she is currently authenticated.
With a little help of social engineering (like sending a link via email/chat), an attacker may
force the users of a web application to execute actions of the attacker’s choosing. A successful
CSRF exploit can compromise end user data and operation in case of normal user. If the
targeted end user is the administrator account, this can compromise the entire web application.

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

LinkedIn is vulnerable to CSRF attacks in the “Join Groups” functionality.  The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.
LinkedIn Groups provide a place for professionals in the same industry or with similar interests to share content, find answers, post and view jobs, make business contacts, and establish themselves as industry experts.
An attacker can create a page that includes requests to the “Join Group” functionality of LinkedIn and add to his group the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the “Join Group” request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the
“Join Group” button.

PROOF OF CONCEPT
————————-
Next, we show a typical request to the “Join Group” functionality:

POST /nhome/nux/group HTTP/1.1
Host: www.linkedin.com
...
grpId=<GROUPID>trk=nux-group-join

Also, We can use HTTP GET method instead the HTTP POST method used at this request. This makes it more easy the exploitation of the CSRF vulnerability.  So, finally, this HTTP request provoke the same result that the original HTTP POST request:

GET /nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join HTTP/1.1
Host: www.linkedin.com

1. An attacker create a web page “csrf-exploit.html” that realize a HTTP GET request to the “Join Group” functionality.

For example:

<img
src="http://www.linkedin.com/nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join"
width=0 height=0>…2. A user authenticated in LinkedIn visit the “csrf-exploit.html” page controlled by the attacker.
For example, the attacker sends a mail to the victim (through the messaging system that provides LinkedIn is better as it ensures that the victim user is authenticated) and provokes that the victim visits his page (using social engineering techniques).

3. The attacker receives an invitation request from the victim user, so the attacker just accept this invitation and the user is added to his group.

BUSINESS IMPACT
————————-
A malicious user can make the victims send a petition for join his group without his consent / knowledge.

  SYSTEMS AFFECTED
————————-
LinkedIn service.

REFERENCES
————————-
http://www.linkedin.com
http://www.isecauditors.com

CREDITS
————————-
This vulnerability has been discovered by Eduardo Garcia Melia

Comments

comments