LinkedIn fixes OAuth flaw

By on
LinkedIn fixes OAuth flaw

Researcher sends heads up.

LinkedIn has fixed a flaw in its website that allowed OAuth tokens to be stolen.

British software engineer Richard Mitchell found he could steal OAuth tokens over HTTP thanks to formerly weak authentication within an interstitial page in LinkedIn's help site. 

"I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user," Mitchell said.

"You shouldn’t trust JavaScript or the referer header exclusively for any kind of authorisation policy."

LinkedIn fixed the flaw on 5 July two days after it was reported and sent Mitchell a t-shirt for his effort.

Copyright © SC Magazine, Australia

Tags:
linkedin oauth security

Most Read Articles

Westpac finally moves to re-architect IT for NPP

Westpac finally moves to re-architect IT for NPP
SA Dept Premier and Cabinet sacks CIO

SA Dept Premier and Cabinet sacks CIO
Optus fibre cable cut in Melbourne

Optus fibre cable cut in Melbourne
Equifax's top tech execs leave 'effective immediately'

Equifax's top tech execs leave 'effective immediately'
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
Solving IT complexity
Solving IT complexity
Optimising Enterprise Data Centres for the Cloud
Optimising Enterprise Data Centres for the Cloud
Growing companies have a growing interest in technology
Growing companies have a growing interest in technology
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
RSA NetWitness® Endpoint. Respond 3X Faster to Threats

Events

Log In

Username:
Password:
|  Forgot your password?