Anand Prakash, who is an ethical hacker and CEO of cybersecurity firm Pingsafe, has found a security gap in LinkedIn, which could have led to the deletion of any posts by any individual or organisation on the professional networking platform.
The flaw was detected by Prakash as part of a bug bounty programme, which provides financial incentives to those who find security flaws or vulnerabilities in an organisation's internet-facing applications.
Though the bug was discovered and fixed in 2018, LinkedIn only gave the permission to disclose it in April 2023, Prakash told Moneycontrol. He was awarded $10,000 dollars for unearthing the vulnerability.
In a statement to Moneycontrol, LinkedIn said, "At LinkedIn, security and privacy of our members is our utmost priority and we have multiple measures in place to ensure the safety of our members every step of the way. This issue was addressed and solved years ago via our bug bounty program."
Prakash said the bug could have allowed anyone to send specific requests to LinkedIn servers which could have had result in deleting any post on the platform.
"If left unaddressed, this vulnerability could have been exploited to remove important content, such as individual/company posts, causing significant damage to individuals or companies," a blogpost by Pingsafe said.
""This vulnerability arose due to a lack of proper authorization checks on the delete post API request on the mobile website. As a result, an attacker could change the “objectUrn” in the delete post request, which is available publicly for all posts, and delete the post using their session.”
Prakash has also found and reported vulnerabilities on social media platforms such as Twitter and Tinder and ride-sharing platform Uber.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
