Thursday, 13 October 2011

Clickjacking Vulnerability found in Linkedin leads to account Deletion


 

This Vulnerability is accepted by LinkedIn they are in a process to patched it but not yet patched. The hack use the Linkedin account deletion page itself.




Vulnerability Information:
  • Vulnerability Type: ClickJacking
  • Found By: Asish
  • Status: UnFixed
  • Alert Level: Critical
  • Website: http://linkedin.com

Default Account Closing page provided by Linkedin:
This exploit use the default Account Closing page.
User can close his account from LinkedIn by visiting the following page
https://www.linkedin.com/secure/settings?closemyaccountstart=&goback=.nas_*1_*1_*1

Once he click continue user have to click on verify account to close


And Final Step


Exploit:ClickJacking Vulnerability


To exploit this Asish have created a fake page with a small game. This page has an invisible iframe which renders remove close account page. The correct answer, in this case ‘82’, is placed over the Continue and Verify account from vulnerable page & ‘Submit’ on Close Account.

Once user submit the right answer his account will be removed from LinkedIn

Are you curious to play this Game?

The document is available here(Password: 8nj98F4h9AW)

0 comments:

Post a Comment