2 min read

Writeup: Delete Replies on LinkedIn Learning

Writeup: Delete Replies on LinkedIn Learning

Hi Hackers!! In this blog, I will write about a bug that I submitted a few months ago on LinkedIn. In brief, the vulnerability was that an attacker can delete replies that users make below videos on LinkedIn Learning.

Mindset

LinkedIn has around 350 reports in the last 90 days as of now. There are so many hackers who have already hacked LinkedIn. I started by understanding the application requests, parameters and APIs first. It took around 2-3 days to understand the request format, the APIs, and URNs (Uniform Resource Names) that LinkedIn uses in the parameter values. LinkedIn is a feature-rich application, there are a lot of services and features that are present. I started hacking the core application by checking each-each part for 2-3 days.

LinkedIn uses the Espresso database (internal private database), no codebase of this database is present online. So, I dropped testing for SQL injections. On LinkedIn, there are users, jobs, employees, businesses, and other roles. So, I started testing access control vulnerabilities and business logic bugs. Also, if you will see the disclosed reports on hacktivity section of LinkedIn at Hackerone, access control bugs are the most reported bugs.

Vulnerability

At LinkedIn Learning, users can make comments below the course videos. Well, what if any external user can delete your reply? What if that reply is of the course author itself? Yeah, this was the vulnerability. An attacker can delete any reply in LinkedIn Learning.

POC:

  1. Go to https://linkedin.com/learning. Choose any course and click on a video. In their Q/A section write down a reply below any comment.
  2. Now, delete a reply and keep the DELETE request in Repeater. This request has a comment URN value present in the endpoint.
DELETE /learning-api/socialAnswers/urn:li:comment:(urn:li:ugcPost:6983952757619658752,7008337964900474880) HTTP/2
Host: www.linkedin.com
Cookie: █████████"
  1. What if the attacker will substitute some other user's replies URN value, here?
  2. Exactly, this is what I did. Change the URN value to some other reply's URN value and the reply got deleted.
  3. Well, at first I deleted some course author's replies by mistake and even in the POC video that I recorded, I deleted some other user's replies (again by mistake).

Video POC:

Impact:

An unauthorized user can delete your replies at LinkedIn Learning. This includes replies made by course owners, instructors, gurus, and students.

Reporting Timeline:

Reported on: 13th Dec 2022
Triaged on: 17th Dec 2022 (Medium Severity)
Bounty received on: 11th Jan 2023 (500$)
Fixed on: 15th March 2023

The response gives 403 Forbidden as the issue is resolved as of now and is not reproducible anymore.

Explained POC on my youtube channel: https://youtu.be/tSq0jL6sBI8

Author: Inderjeet Singh
Msg me at twitter://3nc0d3dGuY for doubts.
Happy Hacking!!