LinkedIn has closed a clickjacking flaw in the remove connections feature of its website.
It took the company nearly four months to close the vulnerability after it was reported by Indian security consultant Jovyn Lobo.
The flaw could allow attackers to trick users into deleting their LinkedIn contacts, Lobo said.
"This may potentially trick a genuine user into clicking on something different to what the user perceives they are clicking on, thus potentially deleting some existing connections in their profile while clicking on seemingly innocuous web pages," he said.
"An attacker could perform a UI redress attack against this vulnerability by designing innocuous seeming web pages and trick a logged in user to remove some of his/her existing connections."
He posted a proof of concept video to demonstrate the attack.
_(28).jpg&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0){kind=logo}
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
