The Hacker News Logo
Subscribe to Newsletter

LinkedIn Clickjacking vulnerability tricks users to spam links

A Clickjacking vulnerability existed on LinkedIn that allowed an attacker to trick users for sharing and posting links on behalf of victim.

Narendra Bhati(R00t Sh3ll), Security Analyst at Cyber Octet informed us about LinkedIn Bug. Clickjacking, also referred as "User Interface redress attack" is one type of website hacking technique where an attack tricks a web user into clicking a button, a link or a picture, etc. that the web user did not intend to click, typically by overlaying the web page with an iframe.

Flaw allows attacker to open LinkedIn page https://www.linkedin.com/shareArticle? , used to share links and articles summary, in a hidden iframe.

Proof of Concept: 
1.) Semi Transparent Iframe Layers :





2.) Fully activated page with zero Transparency ifarme:

Video Demonstration:
Many countermeasures have been described that help web users protect against clickjacking attacks. X-FRAME-OPTIONS is a browser-based defense method. In order to bring the X-FRAME-OPTIONS protection into effect, LinkedIn should send a HTTP header named X-FRAME-OPTIONs on HTML responses.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.