MoinQ:

Contents

  1. history

5.3.3 LinkedIn

We found that LinkedIn was potentially vulnerable to the Unexpired Session Attack and a variant of the Trojan Identifier Attack.

Unexpired Session Attack.

This was potentially feasible
because LinkedIn did not by default invalidate the active
sessions of an account after a password change.
An option for doing this was displayed during the password change
procedure, but was not selected by default. 
If the victim did not select this option, the account remained vulnerable to
this type of attack. 

We also noticed that this attack could be
performed using the email verification trick (Section 4.6).

Trojan Identifier Attack.

This was potentially feasible because LinkedIn provides the option to associate multiple
email addresses with an account. 
As described in Section 4.3,
the attacker creates an account with the victim’s email address
and then adds their own email address to the account. 
This sends an email-change verification URL to the attacker’s email address.
After the victim recovers the account and confirms their
own email address, any attempt to confirm another email
address must be made from an authenticated session. 

The attacker thus needs the victim to visit the confirmation URL
on the attacker’s behalf (e.g., through a CSRF attack). 
If successful, the attacker could request a one-time sign in link
for this account to be sent to their email address, allowing
them to access the account without the victim’s password.

As LinkedIn is a professional social network and an IdP, 
a successful attack could allow the attacker to read the victim’s
sensitive conversations, impersonate the victim, or sign in as
the victim at other services where the victim uses LinkedIn as an IdP. 

We reported our findings to LinkedIn in June 2021.
As a result, LinkedIn changed the default behavior to invali-
date active sessions after a password change, thus mitigating
the Unexpired Session Attack. 

They also noted that they use multiple defense in depth techniques 
to minimize the window of vulnerability for Trojan Identifier Attacks. 
Firstly, the email-change verification URLs are only valid for a limited
period of time, forcing the attacker to refresh these regularly.
Secondly, there is only a short time window after the victim’s
last authentication in which email-change confirmations will
be accepted without requiring re-authentication. 
After this window, the victim will be asked to re-authenticate, which
would likely raise suspicion. 
Finally, LinkedIn uses various anti-abuse controls to prevent the creation of multiple ac-
counts with unconfirmed email addresses. 

We discuss these defenses further in Section 6.2.2.

1. history


CategoryDns CategoryWatch CategoryTemplate

MoinQ: なりすまし/account_pre-hijacking/5/5.3.3 (last edited 2022-05-31 09:29:38 by ToshinoriMaeno)