LinkedIn – Changing Our Account Type from Normal to “Premium” by Manipulating the “CartId” Parameter

In the name of Allah, the Most Gracious, the Most Merciful.

Description: A simple parameter pollution at CartId parameter that could allow people to get the “Premium” Account Type for “Free” (without the needs to buy).

The issue was found by simply manipulating our access to Linkedin from web version to mobile version. Even this one is the simple one and for sure didn’t make a loss, Linkedin still response the ticket nicely and giving an update very fast. So glad that could meet this situation.

Business Logic Issue

PoC Video:

Additional Information:

  • Reported Date: Apr 13th, 2018 – 08:54 GMT+7
  • Response Date: Apr 13th, 2018 – 09:52 GMT+7 (only 58 minutes – thank Luke ! )
  • Acknowledged: Apr 15th, 2018 – 05:04 GMT+7

You may also like...