A vulnerability of type HMTL Injection (HTML injection) which allows you to send LinkedIn authenticated phishing emails (sent by LinkedIn via email @linkedin.com) was found by information security researcher Ricardo Martins, from MITI Security.
According to the researcher, who has already identified other flaws and bugs in the corporate social network, this is a very dangerous vulnerability as it allows a cybercriminal to send a fake email through LinkedIn’s own email notification system. For the attack, it is not necessary to have access to the victim’s email address, just that they have a LinkedIn profile.
In a simulation, the researcher demonstrated the attack on The Hack, which starts with injecting HTML into a particular process that won’t be detailed because it’s still vulnerable. After this initial process, the victim receives an email from LinkedIn itself, through the address “[email protected] and when clicking on the email the victim finds the official LinkedIn message, but with its content altered by the possible cybercriminal.
As Martins explains, as it is an HTML Injection, the content of this message may be completely tampered with. (this includes the title and subject of the email), allowing the cybercriminal to create any fake story to trick the victim into clicking a malicious link.
“This flaw is very serious because a cybercriminal can redirect the user to anywhere he wants. This could be a fake website where it collects sensitive data like logins and passwords, for example. Let’s suppose, Microsoft sends an email saying that you need to do an update and the user goes there and downloads the file and executes, since ‘Microsoft itself’ is sending it. There are no limits to what a criminal can do with this vulnerability, it will depend on his creativity, but it is really very serious“, said Lucas Moreira, independent security researcher and content analyst at Flipside, invited to comment on the case.
The Hack contacted LinkedIn headquarters, in the United States and with an outsourced communications and press office, in Brazil, but still got no answer.
How LinkedIn handles vulnerability reports
LinkedIn is part of HackerOne’s bug bounty program, where independent security researchers can report vulnerabilities found in the platform to the company and in some cases receive reward payments for the flaws found.
The company explains that if a researcher is not part of HackerOne’s bug bounty platform, but wants to report a vulnerability on the social network, the complaint must be made by email, directly to the responsible department.
Following the steps indicated by the company, Martins reported the vulnerability to LinkedIn on June 7th via the email “[email protected]” as requested on the “Vulnerability Disclosure” page.
On June 8, a representative from the LinkedIn security team responded to his contact, saying that the complaint should be formally made by the HackerOne platform. But as Martins is not one of the members, he asked if he could join, which was answered with “We are not accepting new researchers at the moment.”
This is the second time that Ricardo Martins tries to report a failure in the social network. Last month, Martins and his colleague, also an information security researcher, André Aguiar, tried to report a flaw that allows mass spamming on the platform, which was not considered a failure by the company and the possibility of mass spamming via LinkedIn chat remains exploitable.
Data from more than 700 million LinkedIn users is for sale on a popular cybercriminal forum on the shallow internet, since the beginning of last week. Although the database for sale is a compilation of public data, entered into the platform by users themselves, it was collected through a flaw in an API of LinkedIn itself. A process known as data scraping.
This, however, is not the first time LinkedIn has engaged in a massive leak of its users’ public data. In April of this year, more than 1 billion users of the platform were exposed in a similar data leak, divided into two databases, one with 827 million users, advertised for US$ 7,000, and the other with 500 million, with no reported value.
At the time, LinkedIn said that data scraping is a process that violates the platform’s usage policies and that it would investigate the case to resolve the issue. What was not done and LinkedIn users continue to have their data scraped and now, mass spam and phishing authenticated by the company itself.