Article follows (Original here):
I really need to find a better hobby. Apparently, normal people don't think about website behaviors nor do they try to exploit them like some damn child prodigy looking at a crypto puzzle in a Bruce Willis Movie (Mercury Rising). I'm not saying I am a child prodigy by any means. I am 31.
This story starts on a sunny day in Seattle, and yes, we have plenty of those days here. 5 to be exact. The rest of the year is terrible so don't move here, its awful, and you won't like it. The traffic problem is bad enough as it is. So stay in Arizona, California, or whatever state you are still in because the grass is not greener here.
There I was at work, minding my own business and kicking ass as usual when I started to get the pangs of longing for engaging, collaboration and connecting that only LinkedIn could provide. LinkedIn has officially become more important to me than Facebook. I take my careervery seriously as anyone can see from my LinkedIn profile.
Something had been bugging me though. It had to do with the way LinkedIn structured their website security / permissions around invitations and profile views. This persistent nagging turned into fierce annoyance after thinking about it for too long and finally I had enough. It was time to solve this mystery once and for all.
Here is what I was able to discover
Let's say that you have a basic membership. There are a variety of restrictions in place that prevent you from being able to network with people outside of your work / social circles. Say you were to invite someone you don't know. Either you will be asked to provide the users email address, or click a radio button to tell the person how you know them. This could be a colleague, friend, former co-worker or just some random girl you happen to be stalking because she is cute and you want to help her "develop her resume".
Now I noticed that when users viewed my profile, there was a button to invite them at the bottom of their picture. Example below.
To the left you notice that this person viewed your profile while conducting his search for "henchmen." He views your profile, but that's it. Perhaps you are you not evil enough to his requirements, or maybe he is just too busy to send an invite.
If you click on the button to add him, it would send him an invitation. However, if you went to his profile first, and clicked connect, it would ask you to "clarify" your relationship with this person like a 14 year old clingy teenager passing notes in 3rd period. Some users don't appreciate unsolicited invitations so they require that someone knows their email address to be able to send an invitation. This security requirement was "waived" if they had viewed your profile. This was fine and dandy until I figured out that I could trick LinkedIn into thinking that anyone I wanted had viewed my profile.
Bring on the Geek Speak
This is where things get a little bit geeky. The URL that the above button linked to vs the regular connect button was different. The button's behavior was centered around the fact that the user had viewed you and therefore knew of your existence. So if you could get someone to view your profile who had their security setting enabled to require an email address, it would make no difference in the world. Here is half of that URL string:
The part following "ed=" is some sort of variable that the link would populate to identify the individual user. This "token" was an identifier of the person that had viewed you, and the URL was the fast track to inviting them. I should note that this token is about 24 characters long and is NOT available on the users profile page. So how do you get that token? You have to look on other users pages for it. Here is how that was accomplished.
Search for Bryan Seely on LinkedIn you will find this little section to the right. There are 10 users. Now right click on the page and click "view page source". CTRL-F to find a specific word, and look for "ed=" without quotes. Go to the bottom of the search results and you are going to find 10 results that all have this 24 character string after the ed=. Those tokens will be for the 10 people to the right in the "People Also Viewed" section.
Now if you haven't put it together yet, don't feel bad. Those strings can be inserted in place of the security token of the person who had previously viewed your profile.
Paste the original link from the Dr. Evil add button into notepad and then replace his token with one that you grabbed from my buddy Zuckerberg (although I have a feeling he might not return my calls due to my previous mention of Facebook not being as important anymore.)
Paste that link into a new tab, and an oddly shaped invitation page would come up with the person's name, and the custom field to send them a message of your choosing. Click the send button and off it went.
So I now had the ability to invite whomever I wanted, but I hadn't confirmed that the invitation was actually going to be sent out. So I proceeded to gather as many security tokens as I possibly could. As you might have guessed, I sent invitations to Bill Gates, Mark Zuckerberg, Michael Dell, Mark Cuban and even the CEO of LinkedIn. Whoops?
I am Bryan's Complete Lack of Surprise
I was not surprised when none of them accepted my invitation to connect, until Steve Wozniak did. Then Daymond John the CEO of FUBU accepted too. The invitations were showing up in my sent items and famous people were either ignoring me or they will get to adding me when they are back from Africa fighting malaria / tuberculosis or whatever other selfish pursuits they are throwing tens of Billions of dollars at. I feel good giving $100 to charity, imagine how good you would feel giving $50 Billion, see? Selfish.
I must clarify that some of the users that I sent invitations to did not have email address validation requirements. But some of them did. This URL trick didn't seem to care about that at all. This was a definite problem. Not only did it allow me to send invitations to anyone, it also allowed me to send messages to whomever I wanted, without having to pay for Inmail or any upgrade to my account.
After sufficient testing and the creation of a dummy account to test the receipt of the invitations, I sent an email to [email protected] Now my relationship with large website security teams thus-far has not been ideal. I spent months telling Google of a huge problem, and had to record conversations to the Secret Service and FBI to get them to do anythingabout it. They refused help, they refused advice, and refused to fix the problem. They shared nothing, admitted no problems, and essentially denied that the problem even existed. They shut off new business registrations for over a month, and didn't fix a thing. It's actually worse now than it was when I reported it. I could easily do it all over again and Google won't stop it.
Color Me Impressed
Within a few hours of sending LinkedIn an email, an actual human responded. I was going to call the person Steven Tyler (because he is a frickin rock-star) but that is not giving proper credit where it is due. David Cintz is a Technical Program Manager with LinkedIn Security. He isn't a low level Tier 1 analyst, or a customer service rep. This is a guy who can actually fix the problem. I don't know what the internal escalation steps are, but LinkedIn treats problems seriously and doesn't waste time having someone unqualified pull up an email and then try to figure out if it is serious or not. David Cintz handled everything perfectly, from start to finish. He responded to every email, with either acknowledgement or thanks, promptly, and I was treated with respect. This is the way to handle this. David and his team set the bar for what my expectations are for every company that I will ever deal with in the future.
Now keep in mind that this was Thursday and he replied numerous times on Friday, Saturday and Sunday. This guy isn't some shift worker that works odd days of the week. This is a technical program manager in the security department who is responding in the evenings and over the weekend to make sure that they are able to solve this problem to protect their members.
Forgetting for a moment that by discovering this exploit, I probably screwed up a few people's weekend plans, the LinkedIn Security Team had the problem entirely fixed well before start of business on Monday. They even politely asked me not to release the exploit details until they had a fix in place. I am certain that other companies would lawyer up, make threats or otherwise escalate the situation. LinkedIn handled the entire situation with grace, tact, and professionalism. They recognized that I was not the enemy and didn't waste a single second to protect their members, and in doing so, they were able to engage and communicate with me to fix the issue much faster than if they had ignored or otherwise mishandled the situation.
The Merch of Silicon Valley
After it was all said and done, the problem was fixed quickly. I politely asked for a potential reward to include but not limited to: T-shirt or polo shirts, stickers, a LinkedIn branded Ferrari, cute female interns, or perhaps a water bottle or pen. They sent me a majority of the things on my list as a thank you. The Barbie doll riding a Hot-Wheels car inside of the water bottle was a nice touch.
Kissing A** and Dropping Names
I am a huge fan of LinkedIn. It has allowed me to now network with several heroes of mine, Kevin Mitnick and Steve Wozniak being two of the biggest. I met people who then got me the job that I have now. I was connected to a charity which allowed me to mentor young Marines and other veterans coming back to the civilian world. I have made friends, colleagues, and been able to engage others to form relationships that are transforming my life daily. After this extremely positive interaction with LinkedIn Security and seeing how well lead and managed they are at every step of the way, I can safely say that I am in good hands with
Bold Type and Bold Claims
Hell, the CEO might love LinkedIn, but I wager to say I love it more. On a percentage basis, it has changed my life far more than I ever thought possible and LinkedIn has gained an evangelist for life.
What's next for me? I wish I knew. Stay tuned though, I am just getting warmed up. Now I really have to go prep for Miss America 2015, as hacking is not an easy thing to showcase during the talent portion. I have to do well on the talent portion as the swimsuit portion seems to give me problems.
Your friendly neighborhood ethical hacker, US Marine and comedian,
For spelling or grammar complaints: 1-800-THIS-IS-TOO-MANY-NUMBERS
email: [email protected]_thats6as.com
Also, for those people who want to say this is not technically hacking, you are correct. If you can think of a verb that better describes what this was in 2 syllables or less, please feel free to let me know. Otherwise write your complaint out, and then go search Google for your purpose in life because you need to do something more constructive with your time.