2013-001: CSRF vulnerability in LinkedIn

Original release date: January 30th, 2013
Last revised: March 25th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 4.3/10 (CVSSv2 Base Score)

BACKGROUND

LinkedIn is a social networking service and website (www.linkedin.com) for professionals. The site officially launched on May 5, 2003. As of September 30, 2012 (the end of the third quarter), professionals are signing up to join LinkedIn at a rate of approximately two new members per second. Actually, Over 175 million professionals use LinkedIn to exchange information, ideas and opportunities.

DESCRIPTION

CSRF (Cross-site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

 

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
LinkedIn is vulnerable to CSRF attacks in the "Add connections" functionality. Specifically, in the "Send Invitation" request. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.

An attacker can create a page that includes requests to the "Send Invitation" functionality of LinkedIn and add to his connections the users who, being authenticated, visit the page of the attacker.

The attack is facilitated since the "Send Invitation" request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the "Send Invitation" form.

VIDEO DEMO

PROOF OF CONCEPT 

Next, we show a typical request to the "Send Invitation" functionality:

POST /fetch/manual-invite-create HTTP/1.1
Host: www.linkedin.com
...

emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn&csrfToken=ajax:1234567890123456789&sourceAlias=0_cB6j7zv7bfEcbTWXQyKwqELvCi7FWQRq-jJsq2WDImH

Some parameters are not used/validated by the application, so we can remove these parameters from the request:
- csrfToken
- sourceAlias

Also, We can use HTTP GET method instead the HTTP POST method used at this request. This makes it more easy the exploitation of the CSRF vulnerability. So, finally, this HTTP request provoke the same result that the original HTTP POST request:

GET /fetch/manual-invite-create?emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn

1. An attacker create a web page "csrf-exploit.html" that realize a HTTP GET request to the "Send Invitation" functionality.
For example:

...

<img src="http://www.linkedin.com/fetch/manual-invite-create?emailAddresses=<attacker_email>&subject=" width=0 height=0>

...


2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page controlled by the attacker.
For example, the attacker sends a mail to the victim (through the messaging system that provides LinkedIn is better as it ensures that the victim user is authenticated) and provokes that the victim visits his page (using social engineering techniques).
3. The attacker receives an invitation request from the victim user, so the attacker just accept this invitation and the user is added to his connections/contacts.

BUSINESS IMPACT

A malicious user can access to the information they share users that have been added to her contacts without his consent / knowledge.

SYSTEMS AFFECTED

LinkedIn service.

SOLUTION

Corrected by vendor.

REVISION HISTORY

January 16, 2013: Initial release
March 30, 2013: New update

DISCLOSURE TIMELINE

  • January 16, 2013: Vulnerability acquired by Internet Security Auditors. March 10, 2013: Sent to Sec Team.
  • March 15, 2013: Notification about correction.
  • March 25, 2013: Sent to lists.

REFERENCES

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.