Sophos Cloud Optix
LinkedIn has closed a bit of a hole that could have let anyone swipe users’ OAuth private login tokens.
OAuth, an open authorization standard, is used by social networking services such as Klout or Foursquare.
OAuth enables users to log in to such services by first signing in to the big social networks, such as Facebook and Twitter.
A software developer identified by The Register as Richard Mitchell, based in the UK, earlier this week blogged about discovering that LinkedIn’s help site handed out private OAuth tokens for logged-in users.
These supposedly secret OAuth tokens can be used to impersonate LinkedIn users and potentially get at their profile information via APIs.
Mitchell noted that during authentication, when first loading the page, a request went out to a JavaScript file that included the API key for the help system, which “immediately” returned an OAuth token for the user.
In fact, all that the help desk JavaScript code was doing before handing over the token was checking that the last page the visitor went to was served from LinkedIn.com.
Unfortunately (or fortunately, if you’re talking about maintaining your privacy or testing code), “referer spoofing” is a trivial thing for coders.
Somebody with malicious intent could log into LinkedIn and then hop over to a malicious page that’s designed to poke the LinkedIn help site for somebody’s OAuth token, The Register’s John Leyden suggests.
Malware could also potentially access profile information using APIs, Leyden adds.
Mitchell writes:
I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user.
Thanks to Mitchell’s responsible disclosure on 3 July, LinkedIn was able to fix the hole before any mischief came about. It did so by disabling requests without referrers.
A LinkedIn spokesman told The Register that Mitchell’s account of the bug proved accurate:
"We can confirm that we were notified of the OAuth vulnerability and took immediate action to fix the issue, which was resolved by our team within 48 hours of being notified."
In return for his trouble, LinkedIn thanked Mitchell with a t-shirt – “All the way from California” – he says.
Hurray for bug bounties!
I guess this bug was pretty small and easy to squash.
Otherwise, maybe Mitchell likely would have gotten a more substantial reward.
A duvet cover, perhaps?
Image of mouse and CV and CV courtesy of Shutterstock.
"LinkedIn was able to fix the hole … by disabling requests without referrers."
If that's their idea of a fix it sounds like LinkedIn could be dishing out a few more t-shirts before this is all over…
M.