LinkedIn User Account Handling Vulnerability(s)

[Kishor Sonawane <kishorsonawane () gmail com>]

===========================================================
Varutra Consulting Responsible Vulnerability Disclosure
- Vulnerability release date: November 11th, 2013
- Last revised:  February 5th, 2014
- Discovered by: http://varutra.com/blog/?p=281
===========================================================

1. VULNERABILITY
-------------------------
Multiple vulnerabilities in LinkedIn User Account Handling

2. BACKGROUND
-------------------------
LinkedIn is a business-oriented Social networking service. One purpose of
the sites is to allow registered users to maintain a list of contact
details of people with whom they have some level of relationship, called
Connections. Users can invite anyone (whether a site user or not) to become
a connection. More details about LinkedIn can be found at
http://en.wikipedia.org/wiki/LinkedIn

LinkedIn has already hit the 300 million users mark in 2014.

3. DESCRIPTION
-------------------------
There are multiple security issues in LinkedIn user account handling.

In a normal scenario a LinkedIn user logs into his/her account and can
change existing Email address or add new Email address. User can use any of
the Email addresses to login into LinkedIn account.

It was observed that following security issues are present in LinkedIn

a. LinkedIn adds new Email address without any confirmation from the user.
By simply adding a new Email address will make it fully functioning
immediately.

This means if an attacker manages to add an arbitrary Email Id to a victim
user's LinkedIn account then it will not need any verification.
Also, an attacker can ask for password reset link from LinkedIn forgot
password page immediately after adding the arbitrary Email id to a victim's
account and own his/her account.

b. User (LinkedIn account owner) cannot remove the arbitrary Email address
(added by an attacker) from his own LinkedIn account.

So if the victim comes to know that an unknown Email Id has got added to
his/her account still they cannot remove it as LinkedIn does not process
the request of removal successfully and only shows a false message that the
Email Id has been removed.

c. Insecure password reset module

Even after password reset link is used and user has changed the password,
this link will be activated for 24 hours where attacker can reset the
password again and again. This way once compromised account can not be
secured again by the victim user.

4. PROOF OF CONCEPT
-------------------------------

Steps to conduct the attack.
I. Attacker use some techniques such as CSRF like vulnerability to Social
Engineering and adds a custom Email Id to victim's LinkedIn account.
II. Attacker goes to LinkedIn forgot password page and reset victim's
password by providing the newly added Email id.
III. Attacker accesses the password reset link from custom Email id account
and owns victim's LinkedIn account.
IV. Victim user on knowing that his account is compromised will try to
remove the newly added custom Email Id/attacker's Email Id but cannot
remove it.
V. Victim user will reset his password with his own account but attacker
will again access the same password reset link and reset the password to
continue having access to victim's LinkedIn account.


5. BUSINESS IMPACT
-------------------------
An attacker can compromise a LinkedIn user account and can retain his
access forever.

6. SYSTEMS AFFECTED
-------------------------
LinkedIn service

7. SOLUTION
-------------------------
Resolved by LinkedIn

8. REFERENCES
-------------------------
http://www.linkedin.com
http://www.varutra.com

9. CREDITS
-------------------------
This vulnerability has been discovered by
Kishor (at) varutra (dot) com

10. REVISION HISTORY
-------------------------
November 11, 2013: Initial release
February 05, 2014: New update

11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. Varutra
accepts no responsibility for any damage caused by the use or misuse of
this information.

12. ABOUT
-------------------------
Varutra Consulting is a pure play Information Security Consulting, Research
and Training services firm, providing specialised security services for
software, mobile application and network infrastructure.
Our Mission is to exceed client expectations, deliver quality security
services in totality, covering People, Process and Technology asset of the
client, with assurance of comprehensive coverage on every possible facet of
information security related risk.

13. FOLLOW US
-------------------------
You can follow Varutra Consulting, news and security advisories at:

http://varutra.com/news.php
https://www.facebook.com/pages/Varutra-Consulting/136105459900291
https://www.linkedin.com/company/varutra-consulting

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/