Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Home Clickjacking Vulnerability found in Linkedin leads to account Deletion
Click Session Hijacking Linkedin Hacks Vulnerability

Clickjacking Vulnerability found in Linkedin leads to account Deletion

Friday, October 07, 2011


 LinkedIn Vulnerable to User Account Delete using Click jacking, found by Asish

This Vulnerability is accepted by LinkedIn they are in a process to patched it but not yet patched. The hack use the Linkedin account deletion page itself.




Vulnerability Information:
  • Vulnerability Type: ClickJacking
  • Found By: Asish
  • Status: UnFixed
  • Alert Level: Critical
  • Website: http://linkedin.com

Default Account Closing page provided by Linkedin:
This exploit use the default Account Closing page.
User can close his account from LinkedIn by visiting the following page
https://www.linkedin.com/secure/settings?closemyaccountstart=&goback=.nas_*1_*1_*1

Once he click continue user have to click on verify account to close


And Final Step


Exploit:ClickJacking Vulnerability


To exploit this Asish have created a fake page with a small game. This page has an invisible iframe which renders remove close account page. The correct answer, in this case ‘82’, is placed over the Continue and Verify account from vulnerable page & ‘Submit’ on Close Account.

Once user submit the right answer his account will be removed from LinkedIn

Are you curious to play this Game?

The document is available here(Password: 8nj98F4h9AW)

Tags: Click Session Hijacking Linkedin Hacks Vulnerability
Share it:

Click Session Hijacking

Linkedin Hacks

Vulnerability