LinkedIn shuts clickjacking flaw

By

Users could be tricked into deleting contacts.

LinkedIn has closed a clickjacking flaw in the remove connections feature of its website.

LinkedIn shuts clickjacking flaw

It took the company nearly four months to close the vulnerability after it was reported by Indian security consultant Jovyn Lobo.

The flaw could allow attackers to trick users into deleting their LinkedIn contacts, Lobo said.

"This may potentially trick a genuine user into clicking on something different to what the user perceives they are clicking on, thus potentially deleting some existing connections in their profile while clicking on seemingly innocuous web pages," he said.

"An attacker could perform a UI redress attack against this vulnerability by designing innocuous seeming web pages and trick a logged in user to remove some of his/her existing connections."

He posted a proof of concept video to demonstrate the attack.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?