LinkedIn fixes OAuth flaw

By on
LinkedIn fixes OAuth flaw

Researcher sends heads up.

LinkedIn has fixed a flaw in its website that allowed OAuth tokens to be stolen.

British software engineer Richard Mitchell found he could steal OAuth tokens over HTTP thanks to formerly weak authentication within an interstitial page in LinkedIn's help site. 

"I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user," Mitchell said.

"You shouldn’t trust JavaScript or the referer header exclusively for any kind of authorisation policy."

LinkedIn fixed the flaw on 5 July two days after it was reported and sent Mitchell a t-shirt for his effort.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
linkedin oauth security
In Partnership With

Most Read Articles

Australia gets world-first encryption busting laws

Australia gets world-first encryption busting laws
Defence turns on billion-dollar Telstra comms network

Defence turns on billion-dollar Telstra comms network
NAB dependency on IT consultants slammed by chair Ken Henry

NAB dependency on IT consultants slammed by chair Ken Henry
NAB's public cloud expansion ran without internal IT staff

NAB's public cloud expansion ran without internal IT staff
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Automate and secure IOT for Business
Automate and secure IOT for Business
Data Science and AI Solutions for Cybersecurity
Data Science and AI Solutions for Cybersecurity
Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider

Events

Log In

Username / Email:
Password:
  |  Forgot your password?