Security Issue in LinkedIn – View any 3rd profile without a premium account.
Posted
by Shaurya Anand
on Geeks with Blogs
See other posts from Geeks with Blogs
or by Shaurya Anand
Published on Tue, 25 Jun 2013 09:02:34 GMT
Indexed on
2013/06/25
16:22 UTC
Read the original article
Hit count: 327
Originally posted on: http://geekswithblogs.net/shauryaanand/archive/2013/06/25/153230.aspx
I discovered this accidently when my wife forwarded a contact on LinkedIn from her tablet, using the mobile interface of the website. On opening the contact on my desktop, I was surprised to see, I need to upgrade my account to view the contact. Doing some research along with my wife, I found this simple security vulnerability from LinkedIn that can let anyone view a contact’s full profile even when you have a “not upgraded” LinkedIn account and that the contact is a “3rd + Everyone Else”.
Here’s an example of what I am talking about. I just made a random search on LinkedIn for a contact whose name starts with Sacha. Do note, this is just a walkthrough and I am not publicizing any Sacha. I check the “3rd + Everyone Else” and find a “LinkedIn Member”.
On clicking this person’s profile to view, I am presented with the following page, asking me to upgrade.
Make a note of this page’s web address and you get the profile id from it. For example, for this contact, the page address is:
http://www.linkedin.com/profile/view?id=868XXX35
The Profile Id for this contact is 868XXX35. Now, open following page where the Profile Id is the same as the one we grabbed a moment earlier.
https://touch.www.linkedin.com/?#profile/868XXX35
The mobile page exposes this contact information and you even get the possibility to connect to this person without an introduction mail (InMail).
I hope someone from LinkedIn sees and issues a fix for this. I am pretty sure, it’s something that they don’t want the user to do without purchasing an upgrade package.
© Geeks with Blogs or respective owner