Thursday 13 October 2011

Clickjacking Vulnerability found in Linkedin leads to account Deletion


This Vulnerability is accepted by LinkedIn they are in a process to patched it but not yet patched. The hack use the Linkedin account deletion page itself.

Vulnerability Information:
  • Vulnerability Type: ClickJacking
  • Found By: Asish
  • Status: UnFixed
  • Alert Level: Critical
  • Website:

Default Account Closing page provided by Linkedin:
This exploit use the default Account Closing page.
User can close his account from LinkedIn by visiting the following page*1_*1_*1

Once he click continue user have to click on verify account to close

And Final Step

Exploit:ClickJacking Vulnerability

To exploit this Asish have created a fake page with a small game. This page has an invisible iframe which renders remove close account page. The correct answer, in this case ‘82’, is placed over the Continue and Verify account from vulnerable page & ‘Submit’ on Close Account.

Once user submit the right answer his account will be removed from LinkedIn

Are you curious to play this Game?

The document is available here(Password: 8nj98F4h9AW)