A Bug Hunt Horror Story: LinkedIn Premium Free Forever
Welcome to my blog!
I’m a LinkedIn user, who has utilised both his 1 month trials, now guess what, if i want to have more premium stuff of LinkedIn, I definitely need to pay. But imagine not having to pay and grabbing a linkedin premium free every month, Isn’t it every linkediner’s dream eh?
Approximately one year ago (July 14, 2022), I reported LinkedIn a flaw in their Trial activations, which when exploited could’ve allowed a user to enjoy LinkedIn Premium Free forever, without paying a penny.
However, this finding was marked as NO IMPACT and CLOSED !!! LinkedIn rolled a fix for it, silently, later.
So, Lets begin the story ;)
While trying to test premium functionality , I noticed that a unique URL is associated to an account, which is generated during the flow, when a newly signed up LinkedIn user wishes to explore premium trial. This unique link, would then set the billing cost to 0$ at the checkout. Hence allowing the user to enjoy premium trial. But guess what? This process had a major flaw.
The identifiers sent as part of the request in the POST request body were uniquely generated for that new account, but there was a missing authorisation check which allowed an old LinkedIn user to use the identifiers of that POST request to generate a URL which would set the billing cost to 0$ for his old account.
Over the time, I tried to contact LinkedIn Support, Customer care and the hackerone team demonstrating business impact, but guess what, same response, same replies and huge comprehension failure. Attached is a screenshot from my LinkedIn, when I was constantly in touch with LinkedIn demonstrating impact.
With that being said, Lets dive into the PoC. The PoC is simple and I will share what I shared exactly with the LinkedIn Team as well:
Prerequisites:
1) A LinkedIn account who has utilized his both free trials, Learning and the standard one.
2) A fresh or a new email id on which you can create a new LinkedIn account.
Steps:
1) Create a fresh LinkedIn account.
2) As we know new LinkedIn accounts have 1 month of premium free, so we will utilise the premium of this fresh account in our old account(where we have already utilised both premiums)
3) Click on Try Premium For free, and when u click on start my free month, capture that request.
4) Now take the full- HTTP request with body and send to repeater.
5) Replace its Cookies and CSRF token with that of the old account(where you wish to activate 1 more month of trial).
6) Send the request and in response, you will get a “checkoutUrl”: which will be unique to your old account.
7) Copy paste the URL in your browser, and you are good to use the premium free for one month, which belonged to a freshly created user, but you can use it in your old account !
Go ahead with the flow, and standard CC verification of Linkedin, and you can easily use the premium free. I used the same thing on my linkedin ID and it worked.
I also submitted a Video PoC for this vulnerability, but they kept ignoring it ( For learning purpose, if you require a copy of it, I can share it in the comments!).
After that, Here is what hackerone team said:
The discussion kept going on… But same stuff:
Thats it for this blog guys, have a great week!
