The root cause of the vulnerability was an insecure direct object reference in the deleted post request
Anand Prakash the Founder & CEO, PingSafe, discovered a bug in LinkedIn that allowed attackers to delete posts from an individual or company’s profile. The security issue allowed attackers to send a specially crafted request to Linkedin’s servers, which could result in deleting any post on the platform.
In a blogpost, Prakash explained, “Upon discovering the vulnerability, we reported the security issue immediately to Linkedin’s security team through their bug bounty program. If left unaddressed, this vulnerability could have been exploited to remove important content, such as individual/company posts, causing significant damage to individuals or companies”.
“LinkedIn was quick enough to investigate the issue, upon receiving the report. They were prompt enough to take quick actions to patch the vulnerability and took necessary measures to prevent any further exploitation,” he added.
The root cause of the vulnerability was an insecure direct object reference in the deleted post request. This vulnerability arose due to a lack of proper authorisation checks on the deleted post API request on the mobile website. As a result, an attacker could change the “objectUrn” in the delete post request, which is available publicly for all posts, and delete the post using their session.
LinkedIn rewarded a bounty of $10000 for responsibly disclosing the issue. Upon asking what was the root cause behind the security vulnerability, Prakash throws light and explains “Missing authorisation and authentication led to this vulnerability where deleting any post on Linkedin was possible. Catching such security loopholes is difficult by most of the API security tools as they lack manual & business logic testing”.