We had the ability to remove any post from LinkedIn
Using this bug, attackers could send a specially crafted request to the LinkedIn servers, and this would lead to the removal of a particular post from the platform. If this problem had not been addressed, the vulnerability could be used to remove important information about individuals or companies, which would cause serious damage to the latter.
Upon receiving the bug report, LinkedIn’s security department immediately began to investigate the situation. They took the necessary steps to fix the vulnerability and prevent possible incidents in the future.
Request with vulnerability:
POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1
Host: www.linkedin.com
{“objectUrn”:”urn:li:activity:6390481093803499520″}
Activity during a Burp Suite session
We have listed the following steps to recreate the vulnerability picture:
- Using Burp Suite, record a request with a vulnerability from your own session.
- In a request with a vulnerability, change the content of “objectUrn” to the post ID from the user’s activity.
- Run the modified query again in the same Burp Suite. The post will be deleted from the victim’s account.
By doing so, attackers could exploit the vulnerability to delete any post from any account without even being properly authorized.
On April 11, 2023, the issue was publicized and we were paid ten thousand dollars through the Bug Bounty program. Additional information about the bug published Here.