We discovered a security issue on LinkedIn that could delete any post of an individual or company profile. Upon discovering the vulnerability, we reported the security issue immediately to Linkedin’s security team through their bug bounty program.
The bug could have allowed attackers to send a specially crafted request to Linkedin’s servers, which could result in deleting any post on the platform. If left unaddressed, this vulnerability could have been exploited to remove important content, such as individual/company posts, causing significant damage to individuals or companies.
Upon receiving the report, Linkedin’s security team promptly investigated the issue. They took action to patch the vulnerability, preventing any further exploitation.
The root cause of the vulnerability was an insecure direct object reference in the delete post request. This vulnerability arose due to a lack of proper authorization checks on the delete post API request on the mobile website. As a result, an attacker could change the “objectUrn” in the delete post request, which is available publicly for all posts, and delete the post using their session.
Vulnerable Request
POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1
Host: www.linkedin.com
{"objectUrn":"urn:li:activity:6390481093803499520"}
We shared the following steps to reproduce the vulnerability:
- Use Burp Suite to record the vulnerable request using your own session.
- Modify the “objectUrn” in the vulnerable request to that of the victim’s post-activity ID.
- Replay the modified request using Burp Suite. The post will be deleted from the victim’s account.
By following these steps, attackers could exploit the vulnerability to delete any post on LinkedIn without proper authorization.
This issue was disclosed publicly on April 11th, 2023, and was rewarded with a bounty of $10,000.
Find more information about the vulnerability here: https://hackerone.com/reports/337755
