LinkedIn has closed a bit of a hole that could have let anyone swipe users’ OAuth private login tokens.
OAuth enables users to log in to such services by first signing in to the big social networks, such as Facebook and Twitter.
A software developer identified by The Register as Richard Mitchell, based in the UK, earlier this week blogged about discovering that LinkedIn’s help site handed out private OAuth tokens for logged-in users.
These supposedly secret OAuth tokens can be used to impersonate LinkedIn users and potentially get at their profile information via APIs.
Unfortunately (or fortunately, if you’re talking about maintaining your privacy or testing code), “referer spoofing” is a trivial thing for coders.
Somebody with malicious intent could log into LinkedIn and then hop over to a malicious page that’s designed to poke the LinkedIn help site for somebody’s OAuth token, The Register’s John Leyden suggests.
Malware could also potentially access profile information using APIs, Leyden adds.
Thanks to Mitchell’s responsible disclosure on 3 July, LinkedIn was able to fix the hole before any mischief came about. It did so by disabling requests without referrers.
A LinkedIn spokesman told The Register that Mitchell’s account of the bug proved accurate:
"We can confirm that we were notified of the OAuth vulnerability and took immediate action to fix the issue, which was resolved by our team within 48 hours of being notified."
In return for his trouble, LinkedIn thanked Mitchell with a t-shirt – “All the way from California” – he says.
Hurray for bug bounties!
I guess this bug was pretty small and easy to squash.
Otherwise, maybe Mitchell likely would have gotten a more substantial reward.
A duvet cover, perhaps?