Contents
5.3.3 LinkedIn
We found that LinkedIn was potentially vulnerable to the Unexpired Session Attack and a variant of the Trojan Identifier Attack.
Unexpired Session Attack.
This was potentially feasible because LinkedIn did not by default invalidate the active sessions of an account after a password change. An option for doing this was displayed during the password change procedure, but was not selected by default. If the victim did not select this option, the account remained vulnerable to this type of attack. We also noticed that this attack could be performed using the email verification trick (Section 4.6).
Trojan Identifier Attack.
This was potentially feasible because LinkedIn provides the option to associate multiple email addresses with an account. As described in Section 4.3, the attacker creates an account with the victim’s email address and then adds their own email address to the account. This sends an email-change verification URL to the attacker’s email address. After the victim recovers the account and confirms their own email address, any attempt to confirm another email address must be made from an authenticated session. The attacker thus needs the victim to visit the confirmation URL on the attacker’s behalf (e.g., through a CSRF attack). If successful, the attacker could request a one-time sign in link for this account to be sent to their email address, allowing them to access the account without the victim’s password. As LinkedIn is a professional social network and an IdP, a successful attack could allow the attacker to read the victim’s sensitive conversations, impersonate the victim, or sign in as the victim at other services where the victim uses LinkedIn as an IdP. We reported our findings to LinkedIn in June 2021. As a result, LinkedIn changed the default behavior to invali- date active sessions after a password change, thus mitigating the Unexpired Session Attack. They also noted that they use multiple defense in depth techniques to minimize the window of vulnerability for Trojan Identifier Attacks. Firstly, the email-change verification URLs are only valid for a limited period of time, forcing the attacker to refresh these regularly. Secondly, there is only a short time window after the victim’s last authentication in which email-change confirmations will be accepted without requiring re-authentication. After this window, the victim will be asked to re-authenticate, which would likely raise suspicion. Finally, LinkedIn uses various anti-abuse controls to prevent the creation of multiple ac- counts with unconfirmed email addresses. We discuss these defenses further in Section 6.2.2.