Bug Report; Bypassing Weekly Limits In Basic (Free) LinkedIn Account
Publishing my first Security Vulnerability report for LinkedIn.
Below is the report that I have submitted to LinkedIn Information Security Team.
Reported Issues
1. Reporting a flaw in LinkedIn connections, Bypassing Weekly limits in Basic (free) Account
Brief
LinkedIn user(with Free Basic Plan) was able to connect to unlimited users even after exceeding the "Weekly Limit". There is a limit in how many people you can connect to in a week. After reaching the limit popup saying "you have reached your weekly limit" displays. If you go to responsive mode (normally in a browser by right mouse button and click "inspect"). After refreshing the page it goes to responsive mode. In this version, you can send "connection" requests to people even after you reached the limit.
The impact was, basic users, can bypass the weekly limit. Since this was a known issue, fixed by the LinkedIn team.Reproduction Steps: Use a web browser and open LinkedIn in responsive mode (for web lite version). Stepwise as shown in following images
Browser used: Brave Browser, Chrome
OS: win 10,win 11
Linkedin : Web application
Severity: Medium
Timeline
| Date | Report | Security Team's Response | Status |
| 2021-07-26 | Reproduction steps | Require Additional Info | - |
| 2021-07-27 | PoC Video and detail steps | Known Issue, working on fix | Known-Issue |
| 2021-07-29 | Disclosure policies, Reported new BUG (in 2) | Disclosure after the issue is fixed and Team approval | Fixing, Undisclosed |
| 2021-09-2 | Issue persist even after fix | Rechecking | Fixed, Undisclosed |
| 2022-02-11 | Draft | No objection to publish | disclosed |
| 2022-02-15 | - | - | Published |
2. The issue regarding the ability to connect to 3rd degree + connections
Brief
In this issue, the user was able to connect to the 3+ (Third plus) degree connections. These are different levels of connections in LinkedIn. 3+ are the people which are out of your network. Normally the name is displayed as a placeholder "LinkedIn Member". These are higher than 3rd-degree connections. In a basic free plan, a user is not allowed to connect to them, Not even see their name or profile detail(can only see their position and company). With this info(position and company name), you can find out their name and profile by doing the same reproduction steps as issue 1 but with no connection to issue 1 at all. User can see their name and their profile, activity, etc which is not possible normally. This issue exposes the information(Name, profile details, activities)of the users to the outside networks and you are able to connect to them.
This issue was reported and and was not previously known, later verifierd and acknowlwdged by LinkedIn Security team and currently tested and fixed.Reproduction Steps: Use a web browser and open LinkedIn in responsive mode (for web lite version). Stepwise as shown in following images
Browser used: Brave Browser, Chrome
OS: win 10,win 11
Linkedin : Web application
Impact: Medium
Information Security (User data, activity and privecy(via conncetion/message)): Medium
Timeline
| Date | Report | Security Team's Response | Status |
| 2021-07-29 | Issue report,3rd+ degree connection | - | - |
| 2021-09-14 | - | Require Additional Info, PoC | - |
| 2021-09-21 | Sent PoC video | Acknowledgement | Investigating(2021-10-19) |
| 2021-11-2 | - | Update | Confirmed Issue |
| 2021-11-17 | Test fixed issue | updated as fixed | Fixing |
| 2021-11-18 | retest,reported as still not fixed | Acknowledgement | Issue persist |
| 2021-12-20 | test and confirmed | updated as fixed | Fixed, Undisclosed |
| 2022-02-11 | Draft | No objection to publish | disclosed |
| 2022-02-15 | - | - | Published |
P.S.: I am new to both blogging and bug bounty. I may update the content(not the actual report, but the motivation, Drafts and report timeline, HackerOne's Bounty programs, any related queries hereafter, etc. ) of this blog.