- Published on
LinkedIn Hacked - Entire database of emails exposed
LinkedIn Hacked - Entire Database of Emails Exposed
The recent LinkedIn hack could have potentially exposed its entire database of emails. The breach was discovered by a security researcher known as Ultra Power. The root cause lies in a vulnerability within LinkedIn's API, specifically in its decoration feature. This feature enables the expansion of URL fields for easier access to uniform resource names (URNs), which uniquely identify and interact with objects in the API.
What is a URN?
A URN, or Uniform Resource Name, is a unique identifier used in APIs to distinguish specific objects. It facilitates interaction with these objects without needing to make additional API calls.
The Vulnerability Explained
The purpose of the decoration feature is to fetch data belonging to a URN object efficiently. However, the problem arises because LinkedIn's query engine does not verify whether a field should be expandable, rendering every field vulnerable to expansion. This means that various sensitive fields within a user's profile, such as email addresses, become susceptible to unauthorized access.
Exploiting the Bug
To exploit this bug, an attacker can assign a URN value to a text field within a LinkedIn profile. By using the decoration feature in a query, the attack can retrieve the associated email address. Given that LinkedIn email IDs are generated sequentially, this exploit can expose the entire email database.
Keywords
- Hack
- Vulnerability
- API
- URN
- Decoration Feature
- Email Database
- Security Breach
FAQ
1. What caused the LinkedIn hack? The hack was caused by a vulnerability in LinkedIn's API, specifically in the decoration feature that allows for the expansion of URL fields.
2. What is a URN? A URN, or Uniform Resource Name, is a unique identifier used in APIs to identify and interact with specific objects.
3. How does the decoration feature lead to data exposure? The decoration feature allows for the fetching of data belonging to a URN object without additional API calls. The vulnerability is that the query engine does not check whether a field should be expandable, making every field, including sensitive ones like email addresses, susceptible to exploitation.
4. Can the entire email database be exposed? Yes, since LinkedIn email IDs are generated sequentially, exploiting this bug can lead to the exposure of the entire email database.
5. What can users do to protect their information? Users are advised to keep their profiles up-to-date with privacy settings, be cautious of suspicious activity, and stay informed about security best practices. They should also change their passwords regularly and enable two-factor authentication.