Clickjacking Vulnerability found in Linkedin leads to account Deletion

LinkedIn Vulnerable to User Account Delete using Click jacking, found by Asish

This Vulnerability is accepted by LinkedIn they are in a process to patched it but not yet patched. The hack use the Linkedin account deletion page itself.

Vulnerability Information:

Vulnerability Type: ClickJacking
Found By: Asish
Status: UnFixed
Alert Level: Critical
Website: http://linkedin.com

Default Account Closing page provided by Linkedin:

This exploit use the default Account Closing page.
User can close his account from LinkedIn by visiting the following page
https://www.linkedin.com/secure/settings?closemyaccountstart=&goback=.nas_*1_*1_*1

Once he click continue user have to click on verify account to close

And Final Step

Exploit:ClickJacking Vulnerability

To exploit this Asish have created a fake page with a small game. This page has an invisible iframe which renders remove close account page. The correct answer, in this case ‘82’, is placed over the Continue and Verify account from vulnerable page & ‘Submit’ on Close Account.

Once user submit the right answer his account will be removed from LinkedIn

Are you curious to play this Game?

The document is available here(Password: 8nj98F4h9AW)

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Clickjacking Vulnerability found in Linkedin leads to account Deletion

Exploit:ClickJacking Vulnerability

Footer About

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Menu Item

Exploit:ClickJacking Vulnerability

Next

Newer Post

Previous

Older Post

Click Session Hijacking

Linkedin Hacks

Vulnerability