LinkedIn: Vulnerability in the Authentication Process
Tuesday, May 22, 2012
(Translated from the original Italian)
A serious vulnerability has been found in the authentication process of the popular network LinkedIn, and the news published on the Spanish blog of the security expert Fernando A. Lagos Berardi.
The article reports that a vulnerability in LinkedIn allows obtaining user's password.
For the authentication process, LinkedIn adopts a token in the login phase that can be used several times with different usernames and also using the same IP address. This behavior suggests that the token is not verified after the first login, exposing the authentication process to a brute force attack.
This attack is possible due to an error in validating of the security token (CSRF token) that allows to the attacker to send an unlimited number of requests using the same token for different users. The only secure mechanism implemented against the attack is a Captcha challenge-response test after dozens of attempts.
The author of the article has proven the existence of the vulnerability following the procedure:
Step.1
First of all is necessary to retrieve a valid token during a successfully authentication to the LinkedIn platform, that is possible intercepting the POST request made and in particular the field "sourceAlias" and "csrfToken".
Login into your LinkedIn account and capture the "sourceAlias" and "csrfToken" variable (example: sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)
(click image to enlarge)

Step.2
Note that it is not necessary to send these values using POST request methods, it is possible to write a script to send login requests using GET methods for validating the answer and checking the password.
To try the procedure let's use the Token to login into another account where session_key is the username and session_password is the password:
(click image to enlarge)

The script reads an input text file usable as a dictionary to perform the attack.
The author of the attack has created a specific account using the email "panic@zerial.org" for the hack and has used a dictionary containing the following words:
(click image to enlarge)

For reasons of time constraints, I have no way to prove the script, but it has been posted on the popular security site Seclists.org.
Demonstrating this vulnerability, one has to wonder what the real risks are for the users. On more than one occasion we discussed the possibility of carrying out intelligence operations across all major platforms for social networks.
Any vulnerability on this type of system exposes users to risks of identity theft, as a hacker could collect information about the victim using their profile for other purposes and attacks.
In fact, using social engineering techniques on similar platforms with a "stolen" account, an attacker can retrieve sensitive information related any user.
In this specific case, the aggravation is that the popular platform is mainly used for the construction of networks of professionals, including agents of many Governments.
References:
Cross-posted from Security Affairs
A serious vulnerability has been found in the authentication process of the popular network LinkedIn, and the news published on the Spanish blog of the security expert Fernando A. Lagos Berardi.
The article reports that a vulnerability in LinkedIn allows obtaining user's password.
For the authentication process, LinkedIn adopts a token in the login phase that can be used several times with different usernames and also using the same IP address. This behavior suggests that the token is not verified after the first login, exposing the authentication process to a brute force attack.
This attack is possible due to an error in validating of the security token (CSRF token) that allows to the attacker to send an unlimited number of requests using the same token for different users. The only secure mechanism implemented against the attack is a Captcha challenge-response test after dozens of attempts.
The author of the article has proven the existence of the vulnerability following the procedure:
Step.1
First of all is necessary to retrieve a valid token during a successfully authentication to the LinkedIn platform, that is possible intercepting the POST request made and in particular the field "sourceAlias" and "csrfToken".
Login into your LinkedIn account and capture the "sourceAlias" and "csrfToken" variable (example: sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)
(click image to enlarge)
Step.2
Note that it is not necessary to send these values using POST request methods, it is possible to write a script to send login requests using GET methods for validating the answer and checking the password.
To try the procedure let's use the Token to login into another account where session_key is the username and session_password is the password:
https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody () somedomain.com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=securelessConsider that the password (session_password) is not correct if the requested URL returns "The email address or password you provided does not match our records", else the password is correct.
(click image to enlarge)
The script reads an input text file usable as a dictionary to perform the attack.
The author of the attack has created a specific account using the email "panic@zerial.org" for the hack and has used a dictionary containing the following words:
- asdfgh
- zxcvbnm
- 1,234,567
- 0987654
- 12345698
- 456_4567
- 123456qwert
- 123456qwerty
- 12345qwei
- 112233
(click image to enlarge)
For reasons of time constraints, I have no way to prove the script, but it has been posted on the popular security site Seclists.org.
Demonstrating this vulnerability, one has to wonder what the real risks are for the users. On more than one occasion we discussed the possibility of carrying out intelligence operations across all major platforms for social networks.
Any vulnerability on this type of system exposes users to risks of identity theft, as a hacker could collect information about the victim using their profile for other purposes and attacks.
In fact, using social engineering techniques on similar platforms with a "stolen" account, an attacker can retrieve sensitive information related any user.
In this specific case, the aggravation is that the popular platform is mainly used for the construction of networks of professionals, including agents of many Governments.
References:
Cross-posted from Security Affairs
 
This is really a serious problem. I hope LinkedIn will find a solution on this problem.
ReplyDeleteBy: www.rickyzurvassocialmedia.com.au