May 27, 2012

LinkedIn "Invite to connect" CSRF vulnerability

I was browsing in my LinkedIn iPhone app and tried to add a friend. As far as I remember, I need to fill a form regarding my relation to the user that the request is directed to him, i.e. business, education, other (need to enter an email) etc. It is important that the receiving user will know the relation in order to ignore spam and unwanted people in his network.

I noticed that the iPhone application sometimes does not request to enter the email address of the requested contact. In most cases - it does.
In case of not requesting an email address, after clicking on "invite to connect" the invitation would be sent, see screenshot of the button below:
This is a security breach since no email is verified and no connection is selected. In this case, the policy of adding a connection is bypassed.

In case of requesting the email of the potential connection, the following screen should appear:
By sending the email, the following request is generated:
POST /li/v1/messages HTTP/1.1
User-Agent: iphone3_1
Content-Length: 99
Accept: application/json
X-System-Version: 5.0.1
X-System-Name: iPhone OS
X-Device-Model: iPhone
X-LI-Track: {"clientVersion":"4.0.3","sessionId":"REMOVED-BY-NIRVALTMAN","carrier":"orange Israel","osVersion":"5.0.1","locale":"he_IL","osName":"iPhone OS","language":"en","model":"iphone3_1"}
X-App-Version: 4.0.3
X-User-Language: en
X-User-Locale: he_IL
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

A malicious user can create an HTML page to post this request and then get the connection request directly to his mail. The victim would not know about the invitation that he sent to the malicious user. In this case, the vulnerability in the request is CSRF (Cross Site Request Forgery). In order to illustrate the attack, I sent the email by using CSRF attack from my personal account to the test account, the result can be understood from the screenshot below:

In conclusion, malicious user can create a large network without the knowledge of his "new" connections (unless they review their updates recently).

Note: This notice has sent to linkedin on December 2012, I really hope that they fixed it. After all, I've been waiting for 6 months for this fix.