LinkedIn: Vulnerability in the Authentication Process

Tuesday, May 22, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

A serious vulnerability has been found in the authentication process of the popular network LinkedIn, and the news published on the Spanish blog of the security expert Fernando A. Lagos Berardi.

The article reports that a vulnerability in LinkedIn allows obtaining user's password.

For the authentication process, LinkedIn adopts a token in the login phase that can be used several times with different usernames and also using the same IP address. This behavior suggests that the token is not verified after the first login, exposing the authentication process to a brute force attack.

This attack is possible due to an error in validating of the security token (CSRF token) that allows to the attacker to send an unlimited number of requests using the same token for different users. The only secure mechanism implemented against the attack is a Captcha challenge-response test after dozens of attempts.

The author of the article has proven the existence of the vulnerability following the procedure:

Step.1

First of all is necessary to retrieve a valid token during a successfully authentication to the LinkedIn platform, that is possible intercepting the POST request made and in particular the field "sourceAlias" and "csrfToken". 

Login into your LinkedIn account and capture the "sourceAlias" and "csrfToken" variable (example: sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)

(click image to enlarge)

Step.2

Note that it is not necessary to send these values using POST request methods, it is possible to write a script to send login requests using GET methods for validating the answer and checking the password.

To try the procedure let's use the Token to login into another account where session_key is the username and session_password is the password:

https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody () somedomain.com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless

Consider that the password (session_password) is not correct if the requested URL returns "The email address or password you provided does not match our records", else the password is correct.

(click image to enlarge)

The script reads an input text file usable as a dictionary to perform the attack.
The author of the attack has created a specific account using the email "panic@zerial.org" for the hack and has used a dictionary containing the following words:

  • asdfgh
  • zxcvbnm
  • 1,234,567
  • 0987654
  • 12345698
  • 456_4567
  • 123456qwert
  • 123456qwerty
  • 12345qwei
  • 112233

The hack was successfully excecuted, finding the correct password contained in the dictionary file. Following the command for the script execution:

(click image to enlarge)

For reasons of time constraints, I have no way to prove the script, but it has been posted on the popular security site Seclists.org.

Demonstrating this vulnerability, one has to wonder what the real risks are for the users. On more than one occasion we discussed the possibility of carrying out intelligence operations across all major platforms for social networks.

Any vulnerability on this type of system exposes users to risks of identity theft, as a hacker could collect information about the victim using their profile for other purposes and attacks.

In fact, using social engineering techniques on similar platforms with a "stolen" account, an attacker can retrieve sensitive information related any user.

In this specific case, the aggravation is that the popular platform is mainly used for the construction of networks of professionals, including agents of many Governments.

References:

Cross-posted from Security Affairs

Possibly Related Articles:
9523
Vulnerabilities
Information Security
Passwords Authentication Tokens Social Media Dictionary Attack Brute Force Login LinkedIn vulnerability
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.