Vulnerability Disclosure -Business Logic : Improper Account Ownership Verification @ Linkedin

Status: Open (As on 08-Aug-2021)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L = 6.5 (Medium Severity)

Impacted Component: linkedin.com (Account Creation Feature)

Vulnerability Description: It was observed that account creation process doesn’t prevent user from accessing Preferences until email is verified. Moreover, Preference provides feature of adding another email id. This allows attacker user to use email id of victim user for registration initially and later on add attacker controlled email id from Preference. Once attacker controlled email is added, verification email would come to attacker. Attacker verifies using that link and now can make attacker controlled email as primary (here association of victim email id would still remain as it is, without need of victim email verification). Attacker gains full control of Linkedin account, where as victim would never be able to gain back the access.

Impact rational: Exploitation would cause loss of integrity and availability.
1) Victim user would not be able to use account, since attacker has created account so password was also set by attacker. Without knowing password victim cannot login.

Misleading Recovery steps: Since victim would not know password which was set by attacker

2) Victim user cannot use Forget password feature, since the reset password link would always go to attacker controlled email.

Victim neither can login nor can use Forgot password(since reset mail comes to attacker’s email id)

3) Victim cannot use One time password, as that would again go to attacker controlled email.

Victim trying to login via one time link — but link would come to Attacker’s email id

4) Victim would not be able to create new account, since it would show already registered.
5) Manual Identify proof document based method is useless method, as most countries still do not have digital I.D. verification in place. (Photo or PDF ID proof for verification in this generation is the ugliest security gap as they can be easily tampered)

Exploitability rational: Victim user interaction not needed, attacker can exploit this remotely just by knowing victim’s email id. Even though adding attacker controlled email would send alert notification to victim, despite that victim cannot take any action (because of above described points Impact rational #1,2,3).

Steps to Reproduce:
1. Using victim’s email register new Linkedin account

2. You would be redirected to confirm your email page, spot the Preferences Hyperlink and click that.

3. From preference navigate to Sign in & Security > Account Access > email address. Add attacker controlled email and complete the verification for this email id.

4. Done