LinkedIn fixes OAuth flaw

By on
LinkedIn fixes OAuth flaw

Researcher sends heads up.

LinkedIn has fixed a flaw in its website that allowed OAuth tokens to be stolen.

British software engineer Richard Mitchell found he could steal OAuth tokens over HTTP thanks to formerly weak authentication within an interstitial page in LinkedIn's help site. 

"I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user," Mitchell said.

"You shouldn’t trust JavaScript or the referer header exclusively for any kind of authorisation policy."

LinkedIn fixed the flaw on 5 July two days after it was reported and sent Mitchell a t-shirt for his effort.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
linkedin oauth security

Most Read Articles

Telstra to have Australian agents answer all inbound calls from 2022

Telstra to have Australian agents answer all inbound calls from 2022
Critical F5 BIG-IP vulnerability made public

Critical F5 BIG-IP vulnerability made public
CBA hit by nine-hour online banking, payments outage

CBA hit by nine-hour online banking, payments outage
Govt ponders new sovereignty rules for datasets

Govt ponders new sovereignty rules for datasets
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?