SaaS

Indian Security Researcher Anand Prakash Finds Security Flaw In LinkedIn, Awarded Rs 8 Lakh

The report also revealed that the annualised growth rate for India is over 115% for individual creators as compared to the global growth rate of 18 per cent
One Million Indian Social Media Creators To Earn Over $500 Monthly Within Three Years: Animeta Report Photo: The report also revealed that the annualised growth rate for India is over 115% for individual creators as compared to the global growth rate of 18 per cent
info_icon

Anand Prakash the Founder & CEO, PingSafe, discovered a bug in LinkedIn that allowed attackers to delete posts from an individual or company’s profile. The security issue allowed attackers to send a specially crafted request to Linkedin’s servers, which could result in deleting any post on the platform.

In a blogpost, Prakash explained,  “Upon discovering the vulnerability, we reported the security issue immediately to Linkedin’s security team through their bug bounty program. If left unaddressed, this vulnerability could have been exploited to remove important content, such as individual/company posts, causing significant damage to individuals or companies”.

“LinkedIn was quick enough to investigate the issue, upon receiving the report. They were prompt enough to take quick actions to patch the vulnerability and took necessary measures to prevent any further exploitation,” he added. 

Advertisement

The root cause of the vulnerability was an insecure direct object reference in the deleted post request. This vulnerability arose due to a lack of proper authorisation checks on the deleted post API request on the mobile website. As a result, an attacker could change the “objectUrn” in the delete post request, which is available publicly for all posts, and delete the post using their session.
 
LinkedIn rewarded a bounty of $10000 for responsibly disclosing the issue. Upon asking what was the root cause behind the security vulnerability, Prakash throws light and explains “Missing authorisation and authentication led to this vulnerability where deleting any post on Linkedin was possible. Catching such security loopholes is difficult by most of the API security tools as they lack manual & business logic testing”.
 

Advertisement

    Advertisement

    MOST POPULAR

      Advertisement

      Advertisement

      Advertisement