No Validation Of LinkedIn Primary Email Address before Deletion Cause Account Take Over

The vulnerability that I am writing here happened to me. My LinkedIn account was hacked and somebody changed the primary email address with his email address and deleted my primary email address. I have reported this but I haven’t received any satisfactory revert from the Team. LinkedIn service is not good. If your account is hacked then there is no way to take it back. I told the team that I will provide all my documents to you but no response on that. I have reported this issue in Hackerone also but not accepted.

After performing the analysis, I got to know that my account was completely under the control of the attacker. There is no chance to get it back. This is a serious issue and the impact is high.

This report addresses a critical vulnerability in LinkedIn’s “Add Email Address” functionality that can lead to unauthorized account access and potential account takeovers. The vulnerability allows attackers to change the primary email address of a victim’s account without proper verification, thereby granting them control over the account. The report provides a step-by-step explanation of the vulnerability and its potential impacts.

The vulnerability occurs in the “Add Email Address” feature of LinkedIn. When a user attempts to change their primary email address, the system does not revalidate whether the person making the change is the legitimate owner of the account. The process relies solely on the LinkedIn username and password, without additional verification of the email address. Consequently, if an attacker gains access to a victim’s LinkedIn credentials, either through a data breach or other means, they can exploit this vulnerability to take control of the victim’s account.

Let’s assume that the attacker gets your username and password from any source or Linkedin data breach.

1. Login to https://www.linkedin.com/
2. Click on your profile image and then click on “Setting and Privacy”
3. Navigate to “Sign in & Security”
4. Click on the Email address
5. Now attacker clicks on the “Add email address” button. Here “urch****@gmail.com” is the victim’s email.

6. Attacker adds his email ID and password.

7. Attacker received a verification link. The fun part is that attacker gets the email verification link but not the Primary email address. Linkedin believes that if a user logged into the app that means it’s the owner of that account. I think they don’t consider that attackers can also be logged into the app.

8. This is the email attacker received

9. After verification, the attacker has the right to make himself primary.

10. Here attacker makes himself as primary and now the attacker has the right to delete the primary victim’s email without verification.

11. This is how account takeover takes place and in the same way my account is also hacked and not getting any revert from LinkedIn.

12. Victim only gets this email about the update and the fun part is in the instructions it’s mentioned that you can delete the email address or change the primary email address but the question is if the attacker deletes the victim’s email address then how can the victim again log into that profile. When the victim tries to login into the account back, the victim gets a completely new account with that email ID. It means the account takeover takes place just by credentials. By doing this attacker can also change the password. If anytime LinkedIn data breach happens then all account takeovers will happen.

Impact

Unauthorized Account Takeover: Attackers can easily change the primary email address of a victim’s LinkedIn account without their knowledge or consent. This leads to unauthorized access to the account, giving attackers the ability to manipulate the account’s settings, post on behalf of the victim, and potentially misuse their personal information.

Data Privacy Breach: An account takeover not only compromises the victim’s personal information but may also expose sensitive data shared on the LinkedIn platform, including private messages, connections, and other professional information.

Reputation Damage: Account takeovers can be exploited for malicious purposes, such as spreading spam, misinformation, or engaging in other harmful activities using the victim’s identity. This can damage the victim’s professional reputation and credibility.

Loss of Control: Once an attacker gains control over the victim’s account, they can also delete the victim’s primary email address, making it difficult for the victim to regain access to their account. This effectively cuts off the victim from their LinkedIn profile and connections.

Potential Widespread Impact: In the event of a LinkedIn data breach, where many users’ credentials are compromised, the vulnerability could be exploited on a large scale, resulting in multiple account takeovers.