Wednesday, August 1, 2012

Hijacking LinkedIn sessions

During a demonstration at the Microsoft Tech Days 2012 in Eigenbrakel a 'famous' Microsoft white hacker demonstrated how easy it was to capture a LinkedIn password over a secure HTTPS connection.

She was using Fiddler, an intermediate proxy. The hacker added the Fiddler self-signed certificate to the list of trusted root certificates. Now she was pretending that the username and the password were not transferred in a secure way because she intercepted it in clear text with her 'magic' tool?!? I think she definitely needs to review some basics of PKI or Public Key Infrastructure... A shame for Microsoft :)

The GOOD news... there are no issues at all with the login procedure in LinkedIn! The credentials are transferred over a secure HTTPS connection. However capturing those credentials is still possible when using intermediate proxies or firewalls with a HTTPS inspection function. That's not a LinkedIn problem, that 's just how PKI works.

The BAD news... LinkedIn is not using HTTPS for every transaction. It is really easy to hijack a LinkedIn session!

To demonstrate the issue, I created a LinkedIn test account User1.

User1 is a legitimate user and has a valid LinkedIn session.
User2 is the attacker and wants to hijack User1's session.

I'm logging in with the User1 account:

After analyzing the HTTP session parameters I found an interesting cookie:


For User1 it has the following value:


This is the session cookie and it expires after 3 months!

Because session cookies are transferred with each HTTP request and because LinkedIn is using non-encrypted HTTP communication for most of its transactions, it is now very easy to capture the leo_auth_token cookie. Capturing HTTP traffic could be done over a non-secure wireless network or using other techniques like ARP injection, MAC flooding, SNMP hacking,... Maybe in the future I will post some new articles explaining those techniques.

Suppose that User2, our attacker, captured the leo_auth_token cookie using one of the above techniques. He could now open a new browser session and add the captured session cookie to the list of cookies using a cookie editor (for this excercise we cleared all the existing cookies).

After adding the captured cookie to the browser, User2 enters the following URL to edit a LinkedIn profile:

The magic happens:

We hijacked User1's session!
Now we can easily edit User1's profile:

In the same way we could list contacts, add contacts, remove contacts, read messages and send 'spoofed' messages to the contacts,...

Because the LinkedIn session cookie is stored for 3 months and most of the LinkedIn users are never logging out a session, an attacker has plenty of time to fool with someone's profile after capturing the session cookie over a non-secured HTTP connection.
Hijacking a LinkedIn session is really easy!

LinkedIn is just not safe enough. They should definitely switch to HTTPS-only and use session cookies with larger values and with shorter expiration times!

Something to think about when using LinkedIn as a social media platform for professional purposes!