LinkedIn - Unrestricted File Upload

Add Comment

Hi All,

Once upon a time LinkedIn Introduced one new feature in their message which is file upload.
i.e. While sending message to one LinkedIn user, you can upload the file.


What is unrestricted file upload bug ?
Uploaded files represents a significant risk to the application. When we see the upload functionality in the application as a bug hunter we generally try to upload malicious file on the server and do all malicious activity.
Please note I said server. If the attacker successfully uploads the malicious file on the server than its simply GAME OVER.

How its started :- 

Once upon a time during December 2014, I was trying to send the message to one of my colleague, during that time I observed that LinkedIn introduced one new feature of uploading file, that was a day when i just entered into bug hunting and all, from my mentor who found a bunch of bugs on LinkedIn platform being inspired from him I also started digging deep into this new functionality In a hope to get some juicy fruits.

Proof of Concept:- 

During my research I observed this new functionality of sending messages with upload function option can be easily used to perform malicious activity.

Part 1:- 
Bypassing client side validation to upload malicious file 

Attacker :- Nilesh
Victim   :-  Nikhil

1] Attacker sending malicious file to his colleague  Nikhil

2] Because of the client side validation you can not send any malicious file to your colleagues :(

Bypassing  client side validation

3] Change the file extension and upload the file. I have changed the file extension from .php to .txt
    No error, file uploaded successfully.
   [LinkedIn not verifying File contents :P]

4] Next step to capture the request in proxy like burp

5] Changing the file extension from .txt to .php

6] BINGO - No Server side validation in place and malicious file sent to the user  :)
    (Client side validation bypassed)

Hold on, If you have read the Introduction carefully so I have explicitly specified that in most of the cases, while finding the bug related to file upload we generally upload file on server.
So attack will be more impactful if an attacker could able to upload file on the victim server.

BUT over here we are not uploading malicious file on LinkedIn server, but we are simply sending a malicious file via "LinkedIn Platform" to other LinkedIn users.

Fig :- Attacker using LinkedIn Platform to distribute malicious file to LinkedIn users.

So how this can be Impactful to other LinkedIn users ?

Answer is:-
To demonstrate the impact of file upload I have used the beEF framework by which I was able to hijack user credentials ;)

Part 2:- 
Exploiting the file upload vulnerability using beEF framework

Send malicious .html file to victim with beEF hook, that's it once victim will open the attached file and click on the message GAME OVER attacker will easily hijack user credentials.

How this can be done practically answer is using beEF hook. Well If you heard this term first time what is beEF, then I recommend you to read my this article

Kindly check video POC. How easily any malicious user can hijack other user credentials via LinkedIn platform.

Video POC :- 

Well After this I have reported this bug to LinkedIn Security and got the quick reply

Well So in this case I did not get any reward or T, If you know what I mean ;)

The reason behind this is I am not able to upload any malicious file on their server.

But Let me tell you one thing "Security researchers are not inherently entitled to money for finding security flaws." But yes its about learning new thing / learning a new way to hack.

Nevertheless, I am happy that I bypassed LinkedIn file upload restrictions.

Moral of the story:-

Lesson Learned:-
1] File upload bypass techniques
2] beEF framework
3] New Learning


Vulnerability timeline:

Dec 12, 2014 at 06:02 PM : Reported to LinkedIn Security Team
Dec 12, 2014 at 11:48 PM : Received initial reply from LinkedIn Security Team
Dec 13, 2014 at 04:50 PM : Additional Information Provided
Apr 28, 2015 at 09:23 PM : Patched the reported bug
Nov 15, 2015 at 10:35 AM : Public Disclosed

Thank you for reading and I hope you learned something new.

Appreciate you comments and feedback.