PingSafe is now SentinelOne's Singularity™ Cloud Native Security. Website sunsets on 4th June.

Learn More

Vulnerability Management

[Responsible Disclosure] How we could have deleted any LinkedIn post

Issue was disclosed on April 11th, 2023 & was fixed earlier. LinkedIn rewarded with a bounty of $10,000.

Anand Prakash

Written by Anand Prakash

April 18, 2023 | 2 min read

We discovered a security issue on LinkedIn that could delete any post of an individual or company profile. Upon discovering the vulnerability, we reported the security issue immediately to Linkedin’s security team through their bug bounty program.

The bug could have allowed attackers to send a specially crafted request to Linkedin’s servers, which could result in deleting any post on the platform. If left unaddressed, this vulnerability could have been exploited to remove important content, such as individual/company posts, causing significant damage to individuals or companies.

Upon receiving the report, Linkedin’s security team promptly investigated the issue. They took action to patch the vulnerability, preventing any further exploitation.

The root cause of the vulnerability was an insecure direct object reference in the delete post request. This vulnerability arose due to a lack of proper authorization checks on the delete post API request on the mobile website. As a result, an attacker could change the “objectUrn” in the delete post request, which is available publicly for all posts, and delete the post using their session.

Vulnerable Request

POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1
Host: www.linkedin.com

{"objectUrn":"urn:li:activity:6390481093803499520"}
Session activity within Burp Suite

We shared the following steps to reproduce the vulnerability:

  1. Use Burp Suite to record the vulnerable request using your own session.
  2.  Modify the “objectUrn” in the vulnerable request to that of the victim’s post-activity ID.
  3.  Replay the modified request using Burp Suite. The post will be deleted from the victim’s account.

By following these steps, attackers could exploit the vulnerability to delete any post on LinkedIn without proper authorization.

This issue was disclosed publicly on April 11th, 2023, and was rewarded with a bounty of $10,000. 

Find more information about the vulnerability here: https://hackerone.com/reports/337755