Security testing on web is nothing but preventing the web application from all the vulnerability. A vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Prevent all the secure data to be published or viewed by unauthorized people. All the private data should be secured and should not be accessible by others who does not have permission to access. Before testing the functionality, first you need to check the login page, because the login page is the main entry for hackers to any Web site.
Login – Most critical part where you should focus more. Application should never allow to login with wrong credentials. There should be authorization level of each login and defined permission to access the secure data.
Attention Security Testers! Could you foresee any Security vulnerability here at LinkedIn Login mechanism?
Summary – ‘Incorrect Login’ issue in Mozilla Firefox browser [v 44.0.2]
LinkedIn login is done for User A whose Password is saved in Mozilla Firefox browser v 44.0.2, though the Login attempt was made via Gmail account of User B. Initially none of the User is logged in to LinkedIn. Also the Username displayed at Login page is that of User B, but still login is done incorrectly for User A. The vulnerability might be present in other browsers as well. If exploited, this vulnerability could give unauthorized access to unintended people.
- No User is logged into Gmail account.
2. I (Deepanshu Agarwal) have my Login credentials saved for LinkedIn (remember password). But didn’t Login.
3. Login to Kanchan’s Gmail account
4. Login successful. Open the mail received from LinkedIn regarding Connection Invite & click on ‘Accept’ button.
5. Navigated to LinkedIn login page where Username is displayed as ‘Kanchan Kapoor’ with some Password (though I never saved Kanchan’s password). Click on ‘Sign In’.
6. It logins to my (Deepanshu Agarwal) account. As I already have connection with that person, the message doesn’t display his name ‘You and are now connected’.
Reporting @ LinkedIn Security
Tried communicating the issue @ LinkedIn Security team [firstname.lastname@example.org], but in vain. Either it’s not a Vulnerability at all OR Security team is not clearly understanding the issue OR simply they don’t want to!
Mail – 1
Getting straight to the point, found the below discrepancy in User Login @ LinkedIn.
Summary: LinkedIn login is done for “User A” whose Password is saved in Mozilla Firefox browser v 44.0.2, though the Login attempt was made via Gmail account of “User B”. Initially none of the Users is logged in to LinkedIn. Also the Username displayed at Login page is that of “User B”, but still login is done incorrectly for “User A”. I.e. “User B” gets unauthorized access to “User A” profile!
Didn’t check the behavior for other browsers. But the vulnerability might be present in other browsers as well. If exploited, this Security vulnerability could give unauthorized access to unintended people.
Please find attached step-by-step screenshots for reference.
Reply – 1
Thanks for reporting this and helping to protect our members.
We have completed our investigation, and this does not appear to be a security issue. While the application displays the “You and XYZ are now connected” banner, the current logged-in member is not connected to the user. You can verify that by going to My Network->Connections.
Mail – 2
I guess you got the issue incorrect. This is not regarding whether the logged-in User is connected to another User or not.
It is a “Login Issue”. Though the login was done using “User B” as Username, still login is done for “User A”. There is something not right here.
- User A has his LinkedIn Password remembered in Mozilla Firefox.
- None of the two Users are logged in to Gmail & LinkedIn.
- User B logins to his Gmail account.
- There is a connection request email in User B Gmail >> He / She clicks on Approve >> User B is navigated to LinkedIn login page where Username is shown as ‘User B’ with some password pre-filled.
What do you think – Which User will be logged in LinkedIn when clicked on Login?
— Yeah! Expected – User B should login
— Actual (Security Vulnerability) – Though is shows User B as username, but it logins with User A profile…giving unauthorized access!
Reply – 2
Thank you for contacting us about this, I’m happy to further assist. I’m sorry for any confusion this may have caused. We’ve found that many times clearing cached pages and cookies from your browser can resolve multiple issues. Here’s how to do this: https://help.linkedin.com/app/answers/global/id/1285 . Please complete the instructions from the link above for each browser that you use.
This should fix your problem. But if it doesn’t, please let me know and we can continue to troubleshoot any additional causes.
Mail – 3
Clearing cache will obviously remove the ‘Saved Password’ hence the problem won’t occur. This is ‘Not a Fix’ but a workaround solution. And there are no workarounds when User’s Data Security is in question.
Also a User cannot always keep clearing his/her Browser cache after using LinkedIn. After all ‘Remember Password’ is a browser functionality for User’s ease of use. It’s like asking a User not to select ‘Remember Password’ browser option when using LinkedIn – which indirectly means you are putting the onus on the User, i.e. LinkedIn cannot safe guard you against unauthorized access in case you select ‘Remember Password’ option. Any User can access your account via their own Email IDs. Use LinkedIn at your own risk!
Let me know your thoughts!
Reply – 3
Thank you for your reply. To be clear are you having trouble logging into your account? Are you trying to not have your password saved when you log in? Are you finding that you are seeing more than one person logged into your account?
Please let me know if you are referring to your account with regards to this log in issue. I look forward to hearing from you.
Now I am in no mood to reply or follow-up! Is it that difficult to understand the issue I am talking about? Hence posting this issue globally for some insights.