How I Defeated LinkedIn’s 3rd-degree Profile Security

This issue is already patched by LinkedIn House Security and disclosed after a responsible disclosure.

It was an early morning and I was in the middle of a submission of an assignment at my college. I got an email from LinkedIn displaying the people who viewed my profile. This made me log into LinkedIn for a while to have a look what’s new. I saw a random profile who was a 3rd-degree relation. I really wanted to view the profile for some reason.  At the very same time I was viewing Olivia Maree’s LinkedIn profile. Well, she is a manager at Bugcrowd and a good friend of mine. I always keep an eye on the URLs 😉 so after viewing both profiles and analyzing the web application carefully that morning I got some tricky ideas in my head. I will explain from the beginning so that you can understand the process well. Let’s start fuzzing 🙂

1

GET /profile/view?id=31594124&authType=name&authToken=HM8p&trk=prof-sb-browse_map-name HTTP/1.1

As she is already connected in my profile so after having a look at the GET request the “authType” parameter has a value of “name” and the token parameter is “authToken”, it has a value of “HM8p”. This is her profile.

(more…)