A Clickjacking vulnerability existed on LinkedIn that allowed an attacker to trick users for sharing and posting links on behalf of victim.
Narendra Bhati(R00t Sh3ll), Security Analyst at Cyber Octet informed us about LinkedIn Bug. Clickjacking, also referred as "User Interface redress attack" is one type of website hacking technique where an attack tricks a web user into clicking a button, a link or a picture, etc. that the web user did not intend to click, typically by overlaying the web page with an iframe.
Flaw allows attacker to open LinkedIn page https://www.linkedin.com/shareArticle? , used to share links and articles summary, in a hidden iframe.
Proof of Concept:
1.) Semi Transparent Iframe Layers :
Flaw allows attacker to open LinkedIn page https://www.linkedin.com/shareArticle? , used to share links and articles summary, in a hidden iframe.
Proof of Concept:
1.) Semi Transparent Iframe Layers :
2.) Fully activated page with zero Transparency ifarme:
Video Demonstration:
Many countermeasures have been described that help web users protect against clickjacking attacks. X-FRAME-OPTIONS is a browser-based defense method. In order to bring the X-FRAME-OPTIONS protection into effect, LinkedIn should send a HTTP header named X-FRAME-OPTIONs on HTML responses.
