LinkedIn closes OAuth hole that could have let people tinker with your CV

Filed Under: Data loss, Featured, Privacy, Security threats

CV and mouse. Image courtesy of ShutterstockLinkedIn has closed a bit of a hole that could have let anyone swipe users' OAuth private login tokens.

OAuth, an open authorization standard, is used by social networking services such as Klout or Foursquare.

OAuth enables users to log in to such services by first signing in to the big social networks, such as Facebook and Twitter.

A software developer identified by The Register as Richard Mitchell, based in the UK, earlier this week blogged about discovering that LinkedIn's help site handed out private OAuth tokens for logged-in users.

These supposedly secret OAuth tokens can be used to impersonate LinkedIn users and potentially get at their profile information via APIs.

Mitchell noted that during authentication, when first loading the page, a request went out to a JavaScript file that included the API key for the help system, which "immediately" returned an OAuth token for the user.

In fact, all that the help desk JavaScript code was doing before handing over the token was checking that the last page the visitor went to was served from LinkedIn.com.

Unfortunately (or fortunately, if you're talking about maintaining your privacy or testing code), "referer spoofing" is a trivial thing for coders.

Somebody with malicious intent could log into LinkedIn and then hop over to a malicious page that's designed to poke the LinkedIn help site for somebody's OAuth token, The Register's John Leyden suggests.

CV. Image courtesy of ShutterstockMalware could also potentially access profile information using APIs, Leyden adds.

Mitchell writes:

I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user.

Thanks to Mitchell's responsible disclosure on 3 July, LinkedIn was able to fix the hole before any mischief came about. It did so by disabling requests without referrers.

A LinkedIn spokesman told The Register that Mitchell's account of the bug proved accurate:

"We can confirm that we were notified of the OAuth vulnerability and took immediate action to fix the issue, which was resolved by our team within 48 hours of being notified."

In return for his trouble, LinkedIn thanked Mitchell with a t-shirt - "All the way from California" - he says.

Hurray for bug bounties!

I guess this bug was pretty small and easy to squash.

Otherwise, maybe Mitchell likely would have gotten a more substantial reward.

A duvet cover, perhaps?

Image of mouse and CV and CV courtesy of Shutterstock.

, ,

You might like

One Response to LinkedIn closes OAuth hole that could have let people tinker with your CV

  1. markstockley · 399 days ago

    "LinkedIn was able to fix the hole ... by disabling requests without referrers."

    If that's their idea of a fix it sounds like LinkedIn could be dishing out a few more t-shirts before this is all over...

    M.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.