LinkedIn fixes OAuth flaw

By on
LinkedIn fixes OAuth flaw

Researcher sends heads up.

LinkedIn has fixed a flaw in its website that allowed OAuth tokens to be stolen.

British software engineer Richard Mitchell found he could steal OAuth tokens over HTTP thanks to formerly weak authentication within an interstitial page in LinkedIn's help site. 

"I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user," Mitchell said.

"You shouldn’t trust JavaScript or the referer header exclusively for any kind of authorisation policy."

LinkedIn fixed the flaw on 5 July two days after it was reported and sent Mitchell a t-shirt for his effort.

Copyright © SC Magazine, Australia

Tags:
linkedin oauth security
In Partnership With

Most Read Articles

NBN Co reveals range for evening congestion among RSPs

NBN Co reveals range for evening congestion among RSPs
NBN Co leaves fresh batch of FTTC converts until last

NBN Co leaves fresh batch of FTTC converts until last
IBM Australia cuts analytics and support staff

IBM Australia cuts analytics and support staff
NBN Co has 'under 500' congested fixed wireless cells

NBN Co has 'under 500' congested fixed wireless cells
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report
The business case for hyperconvergence
The business case for hyperconvergence
What Every CIO Should Know about DevOps & Container Guides by Puppet
What Every CIO Should Know about DevOps & Container Guides by Puppet
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators

Events

Log In

Username / Email:
Password:
  |  Forgot your password?