Hi guys, this is my second blog post related to bug bounty. This vulnerability I have found recently and thought of sharing with the community. The vulnerability I have found is in a private bug bounty program from Bugcrowd. As I cannot disclose the company name will take it as company.com.
When I got the invitation I quickly ran to gather all subdomains. There was one subdomain and will call it as subdomain.company.com.
The vulnerability which I found to takeover Linkedin page of the company is Broken Link Hijacking. Almost everyone has heard of subdomain hijacking but what about broken link hijacking. These two vulnerabilities are very similar the major difference is that one involves a subdomain while the other involves an expired link on a page. Shout out to edoverflow, for explaining this technique in his blog post.
Tools to find broken links: Broken Link Checker
Find broken links, missing images, etc within your HTML. ✅ Complete: Unicode, redirects, compression, basic auth…
This tool will give you all the links present in the source code of the website which gives 404 status when clicked on that link. After installing the tool just run the below command. Below command will check for the expired links up to the third level.
blc -rof --filter-level 3 https://example.com/
When I ran the above command on the above subdomain I got one result which shows me the LinkedIn page of the company which has 404 Status code page not found. To confirm this I opened that link and it showed me page not found.
https://www.linkedin.com/company/<company_name>=>404 Not found
Next step is to create a company page with the above company-name in the above URL and takeover that.
Impact: A Hacker can post all bad stuff in the name of the company. As there is a linkedin page link of the company when I user clicks on that link he will be taken to Hacker controlled LinkedIn page.
Reported the vulnerability and got reward of 500$🤑🤑