We had the ability to remove any post from LinkedIn

We encountered a security issue on LinkedIn that allowed us to remove any post from an individual’s or company’s profile. Upon discovering this vulnerability, we immediately notified the company’s security department that there was a security breach through the Bug Bounty program.

Using this bug, attackers could send a specially crafted request to the LinkedIn servers, and this would lead to the removal of a particular post from the platform. If this problem had not been addressed, the vulnerability could be used to remove important information about individuals or companies, which would cause serious damage to the latter.

Upon receiving the bug report, LinkedIn’s security department immediately began to investigate the situation. They took the necessary steps to fix the vulnerability and prevent possible incidents in the future.


Request with vulnerability:

POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1

Host: www.linkedin.com

{“objectUrn”:”urn:li:activity:6390481093803499520″}

Activity during a Burp Suite session

We have listed the following steps to recreate the vulnerability picture:

  • Using Burp Suite, record a request with a vulnerability from your own session.

  • In a request with a vulnerability, change the content of “objectUrn” to the post ID from the user’s activity.

  • Run the modified query again in the same Burp Suite. The post will be deleted from the victim’s account.

By doing so, attackers could exploit the vulnerability to delete any post from any account without even being properly authorized.

On April 11, 2023, the issue was publicized and we were paid ten thousand dollars through the Bug Bounty program. Additional information about the bug published Here.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *