lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 16 Sep 2012 00:29:07 +0530
From: Ajay Singh Negi <ajaysinghnegi01@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, 
	secalert@...urityreason.com, bugs@...uritytracker.com, vuln@...unia.com,
	vuln@...urity.nnov.ru, news@...uriteam.com, moderators@...db.org, 
	submissions@...ketstormsecurity.org, submit@...ecurity.com
Subject: Linkedin's Clickjacking & Open Url Redirection
	Vulnerabilities

 Linkedin's Clickjacking & Open Url Redirection Vulnerabilities

# Vulnerability Title: Secondary Email Addition & Deletion Via Click
Jacking in Linkedin
# Website Link:  [Tried on Indian version]
# Found on: 06/08/2012
# Author:  Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 07/08/2012
# Status: Fixed
# Patched On: 10/09/2012
# Public Release: 15/09/2012




*Summary*

A Clickjacking vulnerability existed on Linkedin that allowed an attacker
to add or delete a secondary email and can also make existing secondary
email as primary email by redressing the manage email page.

*Details*

Linkedin manage email page (a total of 1 page) was lacking X-FRAME-OPTIONS
in Headers and Frame-busting javascript  measures to prevent framing of the
pages. So the manage email page could be redressed to 'click-jack' Linkedin
users. Below I have mentioned the vulnerable Url.


*1. Click Jacking Vulnerable Url:*
https://www.linkedin.com/settings/manage-email?goback=.nas_*1_*1_*1<http://www.google.com/url?q=https%3A%2F%2Fwww.linkedin.com%2Fsettings%2Fmanage-email%3Fgoback%3D.nas_*1_*1_*1&sa=D&sntz=1&usg=AFQjCNGkjluV_mUQz-l0-O4AE2x6J5lKqA>



# Vulnerability Title: Open Url Redirection in Linkedin
# Website Link:  [Tried on Indian version]
# Found on: 05/08/2012
# Author:  Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 06/08/2012
# Status: Fixed
# Patched On: 07/09/2012
# Public Release: 15/09/2012



*Summary*

Open Url Redirection using which an attacker can redirect any Linkedin user
to any malicious website. Below I have mentioned the vulnerable Url.


*Original Open Url Redirection Vulnerable Url:*

https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/https%3A%2F%2Fhelp.linkedin.com%2Fapp%2Fhome%2Fh%2Fc%2Ffrom_auth%2Ftrue



*Crafted Open Url Redirection Vulnerable Url:*
https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/http%3A%2F%2Fattacker.in<http://www.google.com/url?q=https%3A%2F%2Fhelp.linkedin.com%2Fapp%2Futils%2Flog_error%2Fet%2F0%2Fec%2F7%2Fcallback%2Fhttp%253A%252F%252Fattacker.in&sa=D&sntz=1&usg=AFQjCNHwFbje3XOKHpKQ48bGat-sG-MjCQ>


POC can be found on below mentioned Url:
http://computersecuritywithethicalhacking.blogspot.in/2012/09/linkedins-clickjacking-open-url.html

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ