Security Issue in LinkedIn – View any 3rd profile without a premium account.

Posted by Shaurya Anand on Geeks with Blogs See other posts from Geeks with Blogs or by Shaurya Anand
Published on Tue, 25 Jun 2013 09:02:34 GMT Indexed on 2013/06/25 16:22 UTC
Read the original article Hit count: 323

Filed under:

Originally posted on: http://geekswithblogs.net/shauryaanand/archive/2013/06/25/153230.aspx

I discovered this accidently when my wife forwarded a contact on LinkedIn from her tablet, using the mobile interface of the website. On opening the contact on my desktop, I was surprised to see, I need to upgrade my account to view the contact. Doing some research along with my wife, I found this simple security vulnerability from LinkedIn that can let anyone view a contact’s full profile even when you have a “not upgraded LinkedIn account and that the contact is a “3rd + Everyone Else”.

Here’s an example of what I am talking about. I just made a random search on LinkedIn for a contact whose name starts with Sacha. Do note, this is just a walkthrough and I am not publicizing any Sacha. I check the “3rd + Everyone Else” and find a “LinkedIn Member”.

image

On clicking this person’s profile to view, I am presented with the following page, asking me to upgrade.

image

Make a note of this page’s web address and you get the profile id from it. For example, for this contact, the page address is:

http://www.linkedin.com/profile/view?id=868XXX35

The Profile Id for this contact is 868XXX35. Now, open following page where the Profile Id is the same as the one we grabbed a moment earlier.

https://touch.www.linkedin.com/?#profile/868XXX35

The mobile page exposes this contact information and you even get the possibility to connect to this person without an introduction mail (InMail).

image
image

I hope someone from LinkedIn sees and issues a fix for this. I am pretty sure, it’s something that they don’t want the user to do without purchasing an upgrade package.

© Geeks with Blogs or respective owner